NIST Special Publication 800-171 Revision 2
Date Published: January 28th, 2021
Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3
Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)
Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here
3.8.8: Prohibit the use of portable storage devices when such devices have no identifiable owner.
Control Family: Maintenance
Control Type: Derived
SPRS Value: 3
SPRS Supplemental Guidance:
N/A
CMMC Level(s):
MP.L2-3.8.8
Top Ten Failed Requirement:
No
Referenced in:
DFARS 252.204-7012
Derived From: NIST SP 800-53r4
MP-7(1)
NIST Supplemental Guidance:
N/A
Discussion:
rs (e.g., individuals, organizations, or projects) for portable storage devices reduces the overall risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., insertion of malicious code).
Upon assessment, assessors must determine if-
Determine if the use of portable storage devices is prohibited when such devices have no
identifiable owner.
Assessors are instructed to-
Examine: [SELECT FROM: System media protection policy; system use policy; procedures addressing media usage restrictions; system security plan; rules of behavior; system configuration settings and associated documentation; system design documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system media use responsibilities; personnel with information security responsibilities; system or network administrators].
Test: [SELECT FROM: Organizational processes for media use; mechanisms prohibiting use of media on systems or system components].
FURTHER DISCUSSION
A portable storage device is a system component that can be inserted into and removed from a system and is used to store data or information. It typically plugs into a laptop or desktop port (e.g., USB port). These devices can contain malicious files that can lead to a compromise of a connected system. Therefore, use should be prohibited if the device cannot be traced to an owner who is responsible and accountable for its security. This requirement, MP.L2-3.8.8, furthers the protections provided by MP.L2-3.8.7 by prohibiting unidentified media use even if that media type is allowable.
Example
You are the IT manager. One day, a staff member reports finding a USB drive in the parking lot. You investigate and learn that there are no labels on the outside of the drive to indicate who might be responsible for it. You send an email to all employees to remind them that IT policies expressly prohibit plugging unknown devices into company computers. You also direct staff members to turn in to the IT help desk any devices that have no identifiable owner [a].
Potential Assessment Considerations
Do portable storage devices used have identifiable owners [a]?
Frameworks & Controls
3.8.2: Limit access to CUI on system media to authorized users.
3.8.3: Sanitize or destroy system media containing
CUI before disposal or release for reuse.3.8.4: Mark media with necessary CUI markings and distribution limitations.
3.8.7: Control the use of removable media on system components.
3.8.8: Prohibit the use of portable storage devices when such devices have no identifiable owner.
3.8.9: Protect the confidentiality of backup CUI at storage locations.