NIST 800-171 • LEVEL 2 • MEDIA PROTECTION
3.8.7 — Media Use
Restrict or prohibit the use of {{ insert: param, A.03.08.07.ODP.01 }}. Prohibit the use of removable system media without an identifiable owner.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- the use of the following types of system media is restricted or prohibited: {{ insert: param, A.03.08.07.ODP.01 }}.
- the use of removable system media without an identifiable owner is prohibited.
Practitioner Notes
This practice is about restricting or outright prohibiting certain types of media on your systems. You get to decide what is allowed and what is not, but you need to document and enforce it.
Example 1: Use a GPO to block all removable media by default across your domain. Under Computer Configuration > Administrative Templates > System > Removable Storage Access, enable "All Removable Storage classes: Deny all access." Then create exception GPOs linked to specific OUs for workstations that have a legitimate business need for removable media.
Example 2: Deploy an endpoint management tool like Microsoft Intune and create a device control policy that blocks unauthorized USB devices by hardware ID. You can whitelist specific approved USB drives (by vendor ID and product ID) and block everything else. This lets you allow company-issued encrypted drives while blocking personal thumb drives.