Removeable Media
Control the use of removable media on system components.
What an assessor scores, the objectives
MP.L2-3.8.7 is met only when every one of these 1 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.the use of removable media on system components is controlled
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For MP.L2-3.8.7, an assessor uses these:
System media protection policy; system use policy; procedures addressing media usage restrictions; system security plan; rules of behavior; system design documentation; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records
Personnel with system media use responsibilities; personnel with information security responsibilities; system or network administrators
Organizational processes for media use; mechanisms restricting or prohibiting use of system media on systems or system components
What it means, in context
In contrast to requirement MP.L2 -3.8.1, which restricts user access to media, this requirement restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical controls (e.g., policies, procedures, and rules of behavior) to control the use of system media. Organizations may control the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may control the use of portable storage devices based on the type of device, prohibiting the use of writeable, portable devices, and implementing this restriction by disabling or removing the capability to write to such devices. Malicious code protection mechanisms include anti-virus signature definitions and reputation- based technologies. Many technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom -built software. This could include logic bombs, back doors, and other types of cyber -attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring technologies to help ensure that software does not perform functions other than the functions intended.
Removable media are any type of media storage that you can remove from your computer or machine (e.g., CDs, DVDs, diskettes, and USB drives). Write a specific policy for removable media. The policy should cover the various types of removable media (e.g., write-once media and rewritable media) and should discuss the company ’s approach to removable media. Ensure the following controls are considered and included in the policy: • limit the use of removable media to the smallest number needed; and • scan all removable media for viruses. Example You are in charge of IT operations. You establish a policy for removable media that includes USB drives [a]. The policy information such as: • only USB drives issued by the organization may be used; and • USB drives are to be used for work purposes only [a]. You set up a separate computer to scan these drives before anyone uses them on the network. This computer has anti-virus software installed that is kept up to date. Potential Assessment Considerations • Are removable media allowed [a]? • Are policies and/or procedures in use to control the use of removable media [a]?
What passing evidence looks like
The removable media policy (allowed or banned, and under what conditions) and the technical control: Intune or GPO removable storage restrictions, or the enforced ban.
Common ways contractors fail MP.L2-3.8.7
- !Five point requirement. An outright ban is the easiest MET: block USB storage by policy and say so. If you allow it, the conditions (encrypted only, owned by the company) must be enforced, not aspirational.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove MP.L2-3.8.7, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
MP.L2-3.8.7 questions, answered
How many points is CMMC requirement MP.L2-3.8.7 worth?+
MP.L2-3.8.7 is worth 5 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 5 from your total of 110.
Can MP.L2-3.8.7 be placed on a POA&M?+
No. MP.L2-3.8.7 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.
What family does MP.L2-3.8.7 belong to?+
MP.L2-3.8.7 is in the Media Protection (MP) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.8.7