MP.3.123

Control Acronym

MP

Family

Media Protection

CMMC Level

3

800-171 Control #

3.8.8

CMMC Description

Prohibit the use of portable storage devices when such devices have no identifiable owner.

CMMC Clarification

A portable storage device is a small hard drive or solid state device that is designed to hold various types of data. It typically plugs into a laptop or desktop port (e.g., USB port). Due to the small size of the device they can be easily lost. This makes the portable storage device an attractive tool to hack an organization. Since the device can hold any type of file it could contain an executable or document that a staff member opens to determine who owns the portable storage device Therefore, an organization should prohibit use if it cannot trace the device to an owner. Example You are the IT manager for your organization. As you enter the building a staff member says they found a USB drive in the parking lot. You ask if the USB device indicates who might be the owner. The staff member responds that there didn’t appear to be any special markings on the drive. Once they get to their office they plan to plug the drive into their laptop to see what type of files are on the drive. The data might indicate which project owns it. You remind them that IT policies and practices expressly prohibit plugging unknown devices into computers. You remind the staff member that your organization’s IT policy directs them to turn in the lost USB device to the IT Helpdesk so they can resolve the issue.

800-171 Description

Prohibit the use of portable storage devices when such devices have no identifiable owner.

800-171 Discussion

Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the overall risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., insertion of malicious code).

Other Source Discussion

N/A

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 MP-7(1)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.8.8

Applicable FAR Clause

NIST CSF Control Reference

NIST CSF v1.1 PR.PT-2

CERT RMM Reference

CERT RMM v1.2 MON:SG2.SP4

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

MP.3.123.[a] the use of portable storage devices is prohibited when such devices have no identifiable owner.

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15