USB and Removable Media Security Controls for Endpoints
USB drives, external hard disks, optical media, and similar portable storage devices represent one of the most persistent and well-documented vectors for data exfiltration and malware introduction at the endpoint level. Regulatory frameworks including NIST SP 800-53, CMMC, and HIPAA Security Rule implementation specifications address removable media explicitly, imposing controls that range from device-level blocking to cryptographic enforcement. This page describes how those controls are defined and scoped, the technical mechanisms through which they operate, the operational scenarios where enforcement decisions arise, and the classification boundaries that determine which control tier applies.
Definition and scope
Removable media security controls are a subset of endpoint security policy governing the authorization, monitoring, and restriction of portable storage devices that connect to computing assets via physical interfaces — most commonly USB, eSATA, Thunderbolt, and SD card slots. The scope extends beyond data-bearing devices to include USB-connected peripherals capable of executing firmware-level attacks, sometimes referred to as BadUSB-class threats.
NIST SP 800-53 Rev 5, Control MP-7 (Media Use) requires organizations to restrict or prohibit the use of portable storage devices on information systems, with the restriction level determined by the information system's security category under FIPS 199. MP-7 is a baseline control at the Moderate and High impact levels, meaning it applies to the majority of federal information systems and to contractors operating under frameworks such as CMMC 2.0 Level 2, which maps to NIST SP 800-171 (CMMC 2.0 Model Overview, DoD).
The HIPAA Security Rule (45 CFR § 164.310(d)) specifically addresses device and media controls as a physical safeguard, requiring covered entities and business associates to implement policies governing the receipt and removal of hardware and electronic media that contain electronic protected health information (ePHI).
Within enterprise environments outside federal or healthcare contexts, the CIS Controls v8 address removable media under Control 10 (Malware Defenses) and Control 3 (Data Protection), establishing baseline expectations for blocking unauthorized USB devices.
How it works
Removable media controls are implemented through a layered technical stack that operates at the operating system, endpoint management, and hardware levels.
Control layers, in order of enforcement depth:
- OS-level device class blocking — Windows Group Policy and Linux udev rules can disable entire USB device classes (mass storage, HID, etc.) without requiring third-party software. This approach applies uniformly but lacks per-device granularity.
- Endpoint Detection and Response (EDR) / Data Loss Prevention (DLP) agents — Agent-based tools installed on the endpoint enforce policies that allow, block, or encrypt data based on device identity (vendor ID, product ID, serial number), user identity, or data classification tags. Major frameworks such as NIST SP 800-137 (Information Security Continuous Monitoring) contemplate agent-based telemetry as part of ongoing endpoint visibility.
- Allowlisting by hardware identifier — Authorized devices are enrolled in a centralized management console; only enrolled devices are permitted to mount. This is the model required under CMMC 2.0 Practice MP.L2-3.8.7, which requires control of removable media to authorized users and approved activities.
- Mandatory encryption enforcement — Policies requiring that data written to removable media be encrypted using approved algorithms (AES-256 is the standard referenced by FIPS 140-3) before transfer is permitted.
- Audit logging and SIEM integration — Every device connection, data transfer attempt, and policy exception is logged and forwarded to a security information and event management platform for retention and alerting.
BadUSB-class attacks, in which a USB device reprograms its firmware to emulate a keyboard or network adapter rather than mass storage, bypass mass-storage-only block policies. Defending against this threat class requires blocking all USB device classes except those explicitly authorized — an approach documented in NSA Cybersecurity Information Sheet on USB Security.
Common scenarios
Regulated healthcare environments: A hospital endpoint fleet subject to HIPAA must prevent unauthorized copying of ePHI to personal USB drives. The control implementation typically combines DLP agent enforcement with audit logging. Encrypted, organization-issued USB drives may be permitted under an exception policy that satisfies the HIPAA Security Rule's addressable specification for encryption (45 CFR § 164.312(a)(2)(iv)).
Federal contractor networks: A defense contractor operating under CMMC 2.0 Level 2 must satisfy all 110 practices from NIST SP 800-171. Practice 3.8.7 (Control the use of removable media) and 3.8.8 (Prohibit use of portable storage without identifiable owner) require both policy and technical enforcement. An assessor evaluating compliance will look for documented procedures, technical controls, and evidence of enforcement such as DLP logs.
Air-gapped or classified systems: On systems processing Controlled Unclassified Information (CUI) or classified data, the Committee on National Security Systems Instruction CNSSI 1253 establishes overlay requirements that, in high-impact contexts, may require complete disabling of all removable media interfaces at the hardware level — physical port blocking via epoxy fill or chassis-level configuration.
Corporate data loss prevention: In non-regulated enterprise settings, the primary driver is protecting intellectual property. Shadow IT involves employees using personal USB drives to transfer files outside sanctioned channels. DLP agents deployed per CIS Control 3.9 address this by scanning content in transit and blocking transfers of files matching data classification patterns.
Decision boundaries
The appropriate control tier is determined by two primary variables: the sensitivity classification of data processed on the endpoint, and the regulatory framework governing the organization.
| Scenario | Applicable Standard | Minimum Control Required |
|---|---|---|
| Federal system, FIPS 199 Moderate | NIST SP 800-53 MP-7 | Restrict or prohibit; log all use |
| Defense contractor, CUI | NIST SP 800-171 / CMMC 2.0 L2 | Allowlisting + identifiable owner requirement |
| Healthcare, ePHI | HIPAA Security Rule § 164.310(d) | Device and media controls; encryption addressable |
| Classified / NSS | CNSSI 1253 overlays | Full prohibition or hardware-level disablement |
| General enterprise | CIS Controls v8 | Policy + agent-based blocking of unauthorized devices |
Allowlisting vs. blanket blocking: Allowlisting (permit only enrolled devices) provides operational flexibility for legitimate business use cases such as transferring data to field equipment. Blanket blocking eliminates that attack surface entirely but introduces operational friction. The NIST SP 800-53 guidance on MP-7 explicitly contemplates both approaches, with the choice driven by mission requirements and risk acceptance documented in the system's Plan of Action and Milestones (POA&M).
Encryption-only vs. block policies: Permitting removable media but mandating encryption satisfies audit requirements and reduces exfiltration risk from lost devices, but does not prevent intentional insider exfiltration — an authorized user can still copy and decrypt data off-premises. Full blocking closes that vector at the cost of eliminating the media class as a legitimate workflow tool. The Endpoint Security providers on this provider network index providers offering both enforcement models. The describes how service categories including removable media security are classified within the broader endpoint protection landscape.
Organizations building or evaluating removable media control programs will encounter this distinction across every framework comparison. The how-to-use-this-endpoint-security-resource page describes how to navigate the provider network's service categories by control type, including device control and DLP subcategories relevant to USB enforcement.