Skip to Content

NIST 800-171 - Use of Portable Storage Devices on External Systems (3.1.21)

126  Matthew Burdick September 27, 2022  Access Control

Overview:
Limit use of organizational portable storage devices on external information systems.


Action Items:
3.1.21[a]
Determine if: the use of portable storage devices containing CUI on external systems is identified and documented.


3.1.21[b]
Determine if: limits on the use of portable storage devices containing CUI on external systems are defined.


3.1.21[c]
Determine if: the use of portable storage devices containing CUI on external systems is limited as defined.


POTENTIAL ASSESSMENT METHODS AND OBJECTS


1
Examine: Access control policy; procedures addressing the use of external systems; system security plan; system configuration settings and associated documentation; system connection or processing agreements; account management documents; other relevant documents or records].


2
Interview: Personnel with responsibilities for restricting or prohibiting use of organization-controlled storage devices on external systems; system or network administrators; personnel with information security responsibilities].


3
Test: Mechanisms implementing restrictions on use of portable storage devices].


Related Documents (document name and content will vary by organization):
1) Access control policy
2) procedures addressing the use of external systems
3) system security plan
4) system configuration settings and associated documentation
5) system connection or processing agreements
6) account management documents
7) other relevant documents or records


Additional Guidance:
Limits on the use of organization-controlled portable storage devices in external systems include, for example, complete prohibition of the use of such devices or restrictions on how the devices may be used and under what conditions the devices may be used. Note that while “external” typically refers to outside of the organization’s direct supervision and authority, that is not always the case. Regarding the protection of CUI across an organization, the organization may have systems that process CUI and others that do not. And among the systems that process CUI there are likely access restrictions for CUI that apply between systems. Therefore, from the perspective of a given system, other systems within the organization may be considered “external" to that system.
Not Rated
Secure Code