How much does PortGuard cost for government agencies?

PortGuard is free for up to 5 devices. Starter is $2/device/month for up to 100 devices, Pro is $5/device/month for up to 500 devices with API access, and Enterprise is $8/device/month for unlimited devices with SSO and SIEM integration. All paid plans offer 10% off for annual billing. No procurement process required for the free tier.

USB Device Control for Government Agencies

Q: Does PortGuard help with NIST 800-171 compliance for USB devices?

Yes. NIST 800-171 control 3.8.7 requires organizations to control the use of removable media on system components. PortGuard enforces USB block/allow policies at the endpoint level with a full audit log of every device connection attempt, directly supporting this control and related media protection requirements.

Q: Can PortGuard block all USB storage while allowing keyboards and mice?

Yes. PortGuard blocks USB mass storage devices (flash drives, external hard drives, phone storage) while allowing HID peripherals like keyboards, mice, and smart card readers to function normally. This is the most common policy for government workstations.

Q: Does PortGuard work on air-gapped or classified networks?

PortGuard is a cloud-managed SaaS solution that requires internet connectivity for policy management and reporting. It is designed for CUI and unclassified government networks, not air-gapped or classified environments. For classified systems, agencies typically use host-based solutions approved for that classification level.

Q: Can PortGuard integrate with government SIEM systems?

Yes. PortGuard's Enterprise plan includes SIEM integration, and the Pro and Enterprise plans provide full REST API access. USB device events can be forwarded to your existing SIEM (Splunk, Sentinel, Elastic, etc.) for centralized security monitoring and incident correlation.

Why Government Agencies Need USB Device Control

Government endpoints handle Controlled Unclassified Information (CUI), personally identifiable information (PII), law enforcement records, and critical infrastructure data. A single unauthorized USB drive plugged into a government workstation can introduce malware, exfiltrate sensitive records, or compromise an entire network segment. The 2008 Agent.btz incident — where a USB flash drive introduced malware to classified DoD networks — led to a years-long ban on removable media across the Department of Defense.

2,365 Government data breaches reported in 2025 (CISA)

$4.6M Avg. cost of a public sector data breach

45% of public sector incidents involve insider or physical access vectors

Frameworks like NIST 800-171, CMMC, FISMA, and IRS Publication 1075 all require agencies and their contractors to control removable media access. USB device control is one of the most direct, enforceable technical safeguards — and one of the easiest to audit.

Common Challenges in Government IT

🏛

Distributed Locations

Federal field offices, state agencies, county courthouses, and municipal buildings are spread across wide geographies with no consistent on-site IT support.

📜

Compliance Mandates

NIST 800-171, CMMC, FISMA, CJIS, IRS Pub 1075 — agencies face overlapping compliance frameworks that all require media protection controls and audit evidence.

💻

Mixed Environments

Legacy workstations, standalone kiosks, shared terminals, and modern endpoints coexist. Many machines aren't domain-joined, making Group Policy impractical.

💰

Budget Constraints

Government IT budgets are tight and procurement cycles are long. Enterprise endpoint suites with annual server licensing often exceed what smaller agencies can justify.

How PortGuard Works in Government Environments

1. Block Unauthorized Removable Media Fleet-Wide

Install the PortGuard agent on government workstations, public-facing kiosks, and employee endpoints. USB mass storage devices — flash drives, external hard drives, phone storage — are blocked by default while keyboards, mice, smart card readers, and CAC readers continue working normally. Users cannot introduce unauthorized removable media to any protected endpoint.

2. Whitelist Agency-Issued Encrypted Drives

Government workflows sometimes require removable media — evidence collection, field data transfer, secure courier operations. PortGuard lets you whitelist specific USB devices by hardware ID, so only agency-issued FIPS 140-2 validated encrypted drives are permitted while all other USB storage is blocked. This satisfies the "organizationally-defined" approved media requirement in NIST 800-171.

3. Per-Endpoint Policies for Different Security Zones

Not every government machine needs the same USB policy. Lock down public kiosk terminals completely. Allow whitelisted encrypted drives on analyst workstations. Permit specific hardware-keyed forensics devices for law enforcement units. PortGuard's per-machine policy model lets you tailor access precisely without complex Group Policy hierarchies or OU structures.

4. Centralized Management Across Every Location

Whether you manage 10 endpoints in a single office or 10,000 across state agencies, every machine reports to a single cloud console. No VPN required. No management server at each facility. Policy changes propagate to all endpoints in under one second via MQTT. Your security team has real-time visibility into the USB posture of every protected machine from one dashboard.

5. Complete Audit Trail for Compliance

Every USB device connection attempt is logged with the device type, hardware ID, vendor, serial number, timestamp, machine name, and enforcement action (blocked or allowed). When auditors, inspectors general, or CISA assessors ask for evidence of media protection controls, the data is ready to export. The audit log is tamper-resistant and stored independently of the endpoint.

Compliance Framework Mapping

Framework	Relevant Control	How PortGuard Helps
NIST 800-171	3.8.7 — Control use of removable media	Block/allow USB storage per endpoint, whitelist approved devices by hardware ID
NIST 800-171	3.8.8 — Prohibit portable storage when no owner	Default-deny policy blocks all unidentified USB storage devices
CMMC Level 2	MP.L2-3.8.7 — Removable media control	Same as NIST 800-171 3.8.7 — enforced at the endpoint with full audit log
FISMA / NIST 800-53	MP-7 — Media Use	Restrict removable media types, enforce organizationally-defined policies
CJIS Security Policy	5.8 — Media Protection	Control removable media on systems accessing criminal justice information
IRS Pub 1075	9.3.10.7 — Media Use	Restrict USB media on systems handling Federal Tax Information (FTI)

Government Use Case Scenarios

Environment	Recommended Policy	Why
Public-facing kiosks	Block all USB storage	Prevent malware introduction and data exfiltration on public terminals
Employee workstations	Block all USB storage	Default-deny for CUI-handling endpoints per NIST 800-171
Analyst / intelligence desks	Whitelist FIPS encrypted drives only	Allow agency-issued encrypted drives for secure data transfer
Law enforcement forensics	Whitelist specific device IDs	Permit forensics hardware while blocking personal devices
Field offices / remote sites	Block all USB storage	Enforce policy on endpoints with no on-site IT presence
Shared conference room PCs	Block all USB storage	Prevent visitors or unauthorized staff from using removable media
IT admin workstations	Whitelist approved drives only	Allow authorized admin tools while maintaining audit trail

Deployment for Government Agencies

Most government IT teams deploy PortGuard across a facility in under an hour:

Sign up at app.portguard.tech — free for up to 5 devices, no credit card required
Download the lightweight Windows agent (< 4 MB, no admin approval chain for evaluation)
Deploy via SCCM, Intune, your RMM tool, PDQ Deploy, or a simple GPO login script
Set a default policy — "block all USB storage" for government endpoints
Whitelist approved agency-issued encrypted drives by hardware ID

The agent runs as a Windows service, uses minimal CPU and memory, and communicates over standard HTTPS and MQTT ports. No firewall rule changes required in most government network configurations. It works on domain-joined and standalone machines equally well — including those legacy workstations and standalone kiosks that Group Policy can't reach.

Pricing for Government

PortGuard's pricing is straightforward and procurement-friendly:

Free: Up to 5 devices, forever — ideal for initial security assessment and proof-of-concept
Starter ($2/device/month): Up to 100 devices. A 50-endpoint office costs $100/month or $1,080/year on the annual plan.
Pro ($5/device/month): Up to 500 devices with full REST API access for SIEM integration and automation
Enterprise ($8/device/month): Unlimited devices, SSO (SAML), SIEM integration, and dedicated support

All paid plans include 10% off for annual billing. No contracts beyond the billing cycle, no server infrastructure to budget for, no database licensing. The total cost is the subscription — nothing hidden.

Guard Suite: Beyond USB Control

PortGuard is the first module in the Guard Suite — a growing family of lightweight endpoint security tools built on the same cloud-managed agent architecture. Upcoming modules include DriveGuard (disk encryption enforcement), PatchGuard (Windows update compliance), and AssetGuard (hardware/software inventory). Each module deploys the same way, manages from the same console, and adds no additional agent footprint.

"We needed a USB lockdown solution for 120 county workstations that handle tax records under IRS Pub 1075. PortGuard deployed in one afternoon — no server, no GPO wrestling, and our CJIS auditor accepted the device logs as evidence of media protection controls."

Frequently Asked Questions

Does PortGuard help with NIST 800-171 compliance for USB devices?

Yes. NIST 800-171 control 3.8.7 requires organizations to control the use of removable media on system components. PortGuard enforces USB block/allow policies at the endpoint level with a full audit log of every device connection attempt, directly supporting this control and related media protection requirements.

Can PortGuard block all USB storage while allowing keyboards and mice?

Yes. PortGuard blocks USB mass storage devices (flash drives, external hard drives, phone storage) while allowing HID peripherals like keyboards, mice, and smart card readers to function normally. CAC and PIV card readers are unaffected by USB storage policies.

Does PortGuard work on air-gapped or classified networks?

PortGuard is a cloud-managed SaaS solution that requires internet connectivity for policy management and reporting. It is designed for CUI and unclassified government networks, not air-gapped or classified environments. For classified systems, agencies typically use host-based solutions approved for that classification level.

Can PortGuard integrate with government SIEM systems?

Yes. PortGuard's Enterprise plan includes SIEM integration, and the Pro and Enterprise plans provide full REST API access. USB device events can be forwarded to your existing SIEM (Splunk, Microsoft Sentinel, Elastic, etc.) for centralized security monitoring and incident correlation.

Is PortGuard FedRAMP authorized?

PortGuard is not currently FedRAMP authorized. It runs on AWS US-East-1 infrastructure and is suitable for state, local, and tribal government use, as well as federal contractor CUI environments where FedRAMP is not a hard requirement. FedRAMP authorization is on our roadmap as federal demand grows.

Protect Government Endpoints from Unauthorized USB Devices

Free for up to 5 devices. No credit card. Deploy a proof-of-concept in under 10 minutes.

Start Free — 5 Devices