In 2024, a mid-sized defense subcontractor lost their eligibility for DoD contracts after a CMMC assessment revealed that engineers were routinely transferring Controlled Unclassified Information (CUI) to personal USB drives to work from home. The company had a written removable media policy. They had no technical enforcement. The assessor scored them as NOT MET on three NIST 800-171 controls, and the resulting Plan of Actions and Milestones (POA&M) cost them a $4.2 million contract renewal while they scrambled to remediate.
For the 300,000+ companies in the Defense Industrial Base (DIB), USB security isn't a nice-to-have — it's a contract requirement. With CMMC 2.0 assessments now underway, the gap between having a policy and having enforceable controls is the difference between winning and losing government work.
Why the Defense Industrial Base Faces Unique USB Risks
Government contractors and their subcontractors operate under constraints that make USB security both more critical and more complex than in commercial environments:
- CUI everywhere. Controlled Unclassified Information lives on engineering workstations, CAD systems, file shares, and laptops. Unlike classified data, CUI doesn't require a SCIF — it sits on standard IT infrastructure where USB ports are readily accessible.
- Supply chain depth. A prime contractor's CMMC obligations flow down to subcontractors. A machine shop with 15 employees handling technical drawings has the same USB control requirements as a 5,000-person prime. Most small subs don't have dedicated security staff.
- Air-gapped and classified-adjacent systems. Some contractor environments include air-gapped networks or systems near classified boundaries. USB devices are often the only way to move data across these boundaries — making them both essential and dangerous.
- ITAR and EAR data. International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) data on a USB drive that leaves the facility is potentially a federal export control violation — not just a data breach.
- Long project lifecycles. Defense programs run for years or decades. Engineers accumulate data across programs, and departing employees represent a serious exfiltration risk when USB devices aren't controlled.
- Foreign targeting. Nation-state adversaries actively target the DIB. USB-based attacks — from supply chain implants to social engineering drops — are documented vectors used against defense contractors.
CMMC 2.0: How USB Controls Map to Assessment Requirements
CMMC 2.0 Level 2 requires implementation of all 110 NIST SP 800-171 Rev 2 controls. Multiple control families directly require USB device management. Here's what assessors will look for:
| NIST 800-171 Control | Family | USB Requirement |
|---|---|---|
| 3.1.21 | Access Control | Limit use of portable storage devices on external systems. You must technically restrict which USB storage devices can connect and where CUI can be transferred. |
| 3.1.22 | Access Control | Control CUI posted or processed on publicly accessible systems. USB devices bridge the gap between controlled and uncontrolled systems — enforce this boundary. |
| 3.4.6 | Config. Mgmt. | Employ the principle of least functionality. Disable USB mass storage on systems where it serves no business purpose. Only enable it where justified and documented. |
| 3.4.8 | Config. Mgmt. | Apply deny-by-exception (blacklisting) or allow-by-exception (whitelisting) policy. For USB devices, this means default-deny with explicit approvals for authorized devices. |
| 3.8.1 | Media Protection | Protect CUI on system media (including removable USB media). Encryption is required for any USB device that stores CUI. |
| 3.8.2 | Media Protection | Limit access to CUI on system media to authorized users. USB device whitelisting tied to user identity satisfies this requirement. |
| 3.8.3 | Media Protection | Sanitize or destroy system media before disposal or reuse. Document the process and maintain destruction records. |
| 3.8.5 | Media Protection | Control access to media containing CUI and maintain accountability during transport. Chain-of-custody logs for USB devices moved between locations. |
| 3.8.7 | Media Protection | Control the use of removable media on system components. This is the core USB enforcement control — assessors expect technical blocking, not just policy. |
| 3.8.8 | Media Protection | Prohibit the use of portable storage devices when devices have no identifiable owner. Every USB device in your environment needs a documented owner. |
| 3.13.8 | System & Comm. Protection | Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission. Applies to USB transfers — data leaving a system on a USB drive must be encrypted. |
| 3.3.1 | Audit | Create and retain system audit logs. Every USB device connection, disconnection, blocked attempt, and data transfer must be logged and retained. |
CMMC Assessment: What Assessors Actually Check
A C3PAO (CMMC Third Party Assessment Organization) assessor evaluating your USB controls will go beyond reading your policy. They follow the CMMC Assessment Guide methodology — examining, interviewing, and testing. Here's what that looks like in practice:
Examine
- Your removable media policy document — must reference NIST 800-171 controls explicitly
- Device whitelists with serial numbers, assigned users, and business justification for each approved device
- Configuration management documentation showing default-deny USB settings on your standard system builds
- Audit logs showing USB events for the past 90+ days
- Media sanitization and destruction records
- Training records proving employees were trained on removable media procedures
Interview
- IT administrators — "Walk me through how you approve a new USB device. Show me the process."
- End users — "What happens if you plug in a personal USB drive? Have you tried?"
- Information security officer — "How do you monitor for unauthorized USB device usage? Show me the last alert you investigated."
- System administrators — "How are USB policies deployed to new machines? How do you verify coverage?"
Test
- Plug an unauthorized USB drive into a CUI-scoped workstation. Does it get blocked?
- Attempt to copy a CUI-marked file to an approved USB device. Is the transfer logged?
- Check a sample of workstations — are USB controls actually deployed, or just documented?
- Verify that USB event logs are being collected and retained according to your stated policy
An assessor who plugs in a USB drive and finds it works on a CUI system will score you NOT MET on 3.8.7 immediately. That single finding can cascade into a conditional assessment status — or worse, a failed assessment.
DFARS 252.204-7012: The Contractual Foundation
Before CMMC, there was DFARS. The Defense Federal Acquisition Regulation Supplement clause 252.204-7012 has required NIST 800-171 compliance for any contractor handling CUI since 2017. USB controls under DFARS include:
- Adequate security: Contractors must provide "adequate security" for CUI on their systems. USB devices without encryption or access controls are a clear gap.
- 72-hour incident reporting: If CUI is compromised via a USB device (theft, loss, unauthorized transfer), you must report to the DoD within 72 hours through the DIBNet portal. This includes lost USB drives containing CUI.
- Media preservation: After a cyber incident involving USB media, you must preserve images of affected media for 90 days and provide access to DoD investigators upon request.
- Flow-down requirement: DFARS 252.204-7012 must be included in subcontracts where CUI will be handled. Your subcontractors' USB security is your contractual responsibility.
USB Threat Scenarios in the Defense Industrial Base
These aren't hypotheticals — they're patterns documented in FBI and CISA advisories targeting defense contractors:
| Scenario | Risk | Control |
|---|---|---|
| Engineer copies technical drawings to personal USB for remote work | CUI on an unencrypted, uncontrolled device. If lost, it's a reportable incident. If the engineer changes jobs, the data goes with them. | Default-deny USB storage. Provide organization-owned encrypted USB devices for authorized transfers with device whitelisting. |
| Vendor plugs in USB drive for maintenance on CNC machine | Malware transfer to OT systems. CUI exposure if the CNC system touches controlled technical data. | Vendor USB procedure: use organization-provided media, escort required, all device connections logged. OT-specific USB controls for shop floor systems. |
| USB drop attack in contractor parking lot | Nation-state tradecraft. Attractive USB drives left where employees will find and connect them. Documented in multiple FBI Private Industry Notifications. | Block all unauthorized USB storage at the OS level. Even if picked up and plugged in, the device is rejected. |
| Departing employee exfiltrates proprietary bid data | Competitive intelligence loss. Potential ITAR violation if data includes controlled technical data. False Claims Act exposure if not reported. | USB DLP monitoring alerts on large file transfers. Immediate USB privilege revocation as part of offboarding checklist. |
| Subcontractor receives CUI on unencrypted USB from prime | DFARS violation for both parties. The prime failed flow-down controls. The sub failed to protect CUI on receipt. | Mandate encrypted USB for all CUI transfers. Establish a secure file transfer mechanism as the preferred alternative. USB as fallback only with documented authorization. |
| Insider uses USB device to bridge air gap | Data from a classified-adjacent or isolated network reaches the internet. This is the Stuxnet scenario — well understood by adversaries targeting defense contractors. | Physical USB port disablement on air-gapped systems. BIOS-level USB restriction. Endpoint USB port control as defense-in-depth. |
Building a CMMC-Ready USB Program: 10-Week Roadmap
Weeks 1-2: Discovery and Scoping
- Identify all systems in your CUI scope boundary
- Inventory every USB device currently in use (type, serial number, user, business justification)
- Document all legitimate USB use cases — be specific about why USB is needed versus secure file transfer
- Map your current state against NIST 800-171 media protection controls (3.8.x family)
- Identify subcontractors who handle CUI and their USB control status
Weeks 3-4: Policy and Architecture
- Write or update your removable media policy. Reference specific NIST 800-171 control numbers.
- Define your device approval process: who requests, who approves, what documentation is required
- Design your USB architecture: default-deny on all CUI systems, whitelisted exceptions only
- Select and procure organization-owned encrypted USB devices for authorized use cases
- Draft your USB security training module
Weeks 5-7: Technical Implementation
- Deploy USB port control to all CUI-scoped endpoints using a centrally managed solution
- Configure device whitelisting for approved encrypted USB devices
- Enable audit logging for all USB events — connections, blocks, file transfers
- Configure log retention to meet your audit requirements (minimum 90 days for CMMC, recommend 1 year)
- Deploy controls to any subcontractor-accessible systems
- Verify BIOS-level USB restrictions on air-gapped or classified-adjacent systems
Weeks 8-9: Validation and Testing
- Conduct internal testing using the assessor methodology: examine, interview, test
- Plug unauthorized USB devices into a sample of CUI systems — verify blocking
- Review audit logs — verify USB events are captured and searchable
- Interview a sample of employees — verify they understand the policy and the exception process
- Test your incident response procedure: simulate a lost USB drive containing CUI
- Verify media destruction procedures are documented and followed
Week 10: Evidence Packaging
- Compile the evidence package (see table below)
- Prepare SSP (System Security Plan) entries for all USB-related controls
- Document any POA&M items for controls not yet fully implemented
- Conduct management review and sign-off
CMMC Assessment Evidence Package for USB Controls
| Evidence Item | NIST 800-171 Controls | Format |
|---|---|---|
| Removable media policy (references NIST controls) | 3.8.7, 3.8.1, 3.8.2 | PDF, signed and dated |
| Approved USB device inventory (serial, user, justification) | 3.8.8, 3.8.2 | Spreadsheet or asset management export |
| Default-deny configuration evidence (GPO, agent config) | 3.4.6, 3.4.8, 3.8.7 | Screenshots, configuration exports |
| Endpoint coverage report (% of CUI systems with enforcement) | 3.8.7, 3.4.6 | Dashboard export or agent status report |
| USB event audit logs (90+ days) | 3.3.1, 3.3.2 | Log exports, SIEM query results |
| Device approval workflow records (request, approval, provisioning) | 3.8.2, 3.8.8 | Ticketing system exports |
| Media sanitization and destruction records | 3.8.3 | Signed destruction certificates |
| Employee training records (removable media module) | 3.2.1, 3.2.2 | LMS completion reports |
| Incident response procedure (USB-specific scenarios) | 3.6.1, 3.6.2 | IR plan excerpt |
| Subcontractor flow-down documentation | 3.8.7 (flow-down) | Contract clauses, subcontractor attestations |
Common CMMC Assessment Findings for USB Controls
| Finding | Why Assessors Flag It | How to Prevent It |
|---|---|---|
| Policy exists but no technical enforcement | A policy without enforcement is scored NOT MET. CMMC requires demonstrated implementation, not documentation alone. | Deploy technical USB blocking on all CUI systems. Be prepared for the assessor to test it live. |
| USB controls on IT systems but not OT/shop floor | If CNC machines, test equipment, or shop floor systems process CUI (technical drawings, specifications), they're in scope. | Extend USB controls to all CUI-scoped systems including manufacturing and OT environments. |
| No device inventory or unowned devices in use | NIST 800-171 3.8.8 explicitly prohibits portable storage without identifiable owners. Assessors check for this. | Inventory all USB devices. Assign owners. Remove or destroy unowned devices. Maintain the registry going forward. |
| Audit logs don't capture USB events | Without USB event logs, you can't demonstrate monitoring or respond to incidents. Fails 3.3.1 and weakens multiple media protection controls. | Configure USB event logging with sufficient retention. Verify logs capture device identity, user, timestamp, and action. |
| Subcontractors not included in USB controls | DFARS flow-down requires subcontractors to protect CUI. If they handle CUI without USB controls, your assessment is affected. | Include USB security requirements in subcontractor agreements. Verify compliance before assessment. |
| Encrypted USB devices not actually encrypted | Assessors may request to inspect an approved USB device. If it's marketed as encrypted but uses software encryption that can be bypassed, that's a finding. | Use FIPS 140-2 validated hardware-encrypted USB devices. Verify encryption is mandatory (not optional) on each approved device. |
CMMC-Ready USB Controls — Deployed in Minutes
PortGuard gives defense contractors the USB device control that CMMC 2.0 and NIST 800-171 require. Default-deny enforcement, device whitelisting, audit-grade logging, and centralized management across every CUI-scoped endpoint.
Start Free — Up to 5 DevicesITAR and EAR: When USB Becomes an Export Control Problem
For contractors handling ITAR-controlled technical data or EAR-controlled technology, USB security takes on an additional dimension. A USB drive containing ITAR data that leaves your facility without proper authorization is a potential export control violation under 22 CFR 120-130 — regardless of whether it crosses a national border.
- Deemed exports: If a foreign national employee copies ITAR data to a USB drive, that's a deemed export requiring a license or exemption. USB controls combined with identity-based access help prevent unauthorized deemed exports.
- Technology control plans: Contractors with Technology Control Plans (TCPs) must include USB device controls. The TCP should specify which users can access which USB devices and under what conditions.
- Voluntary self-disclosure: If a USB-related export control violation occurs, the State Department (ITAR) or BIS (EAR) expects voluntary self-disclosure. Having USB audit logs demonstrating the incident timeline strengthens your disclosure and demonstrates good faith.
Small Contractor Challenges
The majority of the Defense Industrial Base isn't Lockheed Martin or Raytheon. It's machine shops, engineering consultancies, and IT service providers with 10-200 employees. These organizations face specific challenges with USB security:
- No dedicated security staff. The IT manager, the security officer, and the compliance lead are often the same person. USB controls need to be deployable and manageable without a security team.
- Limited budget. CMMC compliance competes with operational spending. USB security needs to be cost-effective — not a six-figure endpoint security suite.
- Dual-use systems. Employees use the same workstations for CUI and non-CUI work. USB controls need to be smart enough to allow a mouse or keyboard while blocking mass storage.
- USB dependencies. Shop floor equipment, CNC machines, and test equipment may require USB for legitimate operations. A blanket USB ban isn't practical — you need granular whitelisting.
- Assessment cost anxiety. A failed CMMC assessment means paying for reassessment. Getting USB controls right the first time saves tens of thousands in remediation and reassessment costs.
The good news: USB security is one of the most straightforward CMMC controls to implement. Unlike complex requirements around network segmentation or continuous monitoring, USB device control is a well-defined problem with clear solutions. Deploy enforcement, whitelist what's needed, log everything, and maintain your documentation. For a 50-person contractor, this can be operational in days, not months.
Maintaining Compliance Between Assessments
CMMC 2.0 Level 2 requires reassessment every three years. But the DoD expects continuous compliance, not point-in-time compliance. For USB controls, this means:
- Monthly USB activity reviews. Pull USB event summaries monthly. Review exceptions, investigate anomalies, and document your review. This creates a continuous evidence trail.
- Quarterly device inventory reconciliation. Compare your approved device list against active devices. Remove devices for departed employees. Verify encryption status on all approved devices.
- Annual policy review. Update your removable media policy annually. Reference any incidents, regulatory changes, or scope changes that influenced modifications.
- Continuous monitoring integration. Feed USB event data into your continuous monitoring program. Alert on anomalies: new device types, off-hours connections, high-volume transfers.
- Affirmation requirements. CMMC 2.0 requires annual affirmation that your controls remain in place. USB control coverage reports support this affirmation with evidence.
Defense contractors who treat USB security as an ongoing operational practice — rather than an assessment preparation exercise — consistently achieve cleaner assessments and spend less time on remediation. The NIST 800-171 controls are clear. The assessment methodology is published. The gap is usually between knowing what's required and having the technical enforcement and evidence to demonstrate it.
Further Reading
- USB Security for Financial Services: PCI DSS, GLBA, and FFIEC Compliance
- USB Security for SOC 2 and ISO 27001: What Auditors Actually Look For
- USB Security for Manufacturing and OT/ICS Environments
- USB Security Policy Best Practices for 2026
- USB DLP: Why Data Loss Prevention Starts at the Port
- 7 USB Attack Vectors Every IT Admin Should Know
- USB Device Whitelisting: How to Allow Only Approved Devices