NIST 800-171 Control 3.8.7: Removable Media Control
Removable media like USB drives and external hard drives represent a significant data exfiltration risk in any organization. NIST SP 800-171 Control 3.8.7 requires you to establish and enforce policies that restrict or monitor removable media use on system components. Without proper controls, sensitive data can walk out the door in seconds.
What this means
This control requires organizations to implement technical and administrative safeguards that prevent, limit, or monitor the use of removable media (USB flash drives, external hard drives, SD cards, portable devices) on government systems and contractor networks. The goal is to reduce data loss, prevent malware introduction, and maintain system integrity. Organizations must define which removable media is permitted, who can use it, and under what circumstances, then enforce these policies through technical controls and regular audits.
How to comply
- 1.Develop a removable media policy that specifies which types of devices are permitted, prohibited, or restricted on your networks
- 2.Implement technical controls such as USB port disabling, endpoint detection and response (EDR), or mobile device management (MDM) to block or log removable media access
- 3.Create an approved list of devices and authorized users who may connect removable media under specific business justifications
- 4.Configure audit logging to record all removable media connection attempts, successful connections, and data transfers
- 5.Conduct regular audits and asset reviews to identify unauthorized removable media or policy violations
- 6.Provide employee training on removable media risks and your organization's acceptable use policy
- 7.Establish a process for securely wiping or destroying removable media at end-of-life
Evidence auditors look for
- Removable Media Control Policy document signed by management
- Group Policy Objects (GPOs) or Mobile Device Management (MDM) configurations blocking USB ports
- Endpoint protection logs showing blocked or flagged removable media connections
- Hardware inventory records of approved devices and serial numbers
- Audit logs from systems showing removable media access attempts and data transfer records
- Employee training completion certificates and policy acknowledgment forms
- Device sanitization certificates or destruction records for decommissioned media
- Security scanning reports documenting compliance assessments
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates removable media audit logging and policy enforcement tracking, so you can document ongoing compliance without manual log reviews or scattered spreadsheets.
See how GRCWatch handles this control automatically
Start free trial