3.8.8 — No Mystery USB Drives

The One-Liner

A USB drive in the parking lot is a classic attack — it worked on military installations and it’ll work on your office.

What It Says

Prohibit the use of portable storage devices when such devices have no identifiable owner.

What It Actually Means

If a storage device can’t be traced to a known, responsible owner, it does not connect to any system — period. This addresses one of the oldest and most effective social engineering attacks: leaving a USB drive in a parking lot, break room, or lobby and waiting for someone to plug it in.

The requirement has two layers:

1. Training. People must know the risk. Annual security awareness training (3.2.1) should include the “found USB” scenario explicitly — don’t plug in unknown devices, report them to IT/security immediately. Training alone isn’t sufficient, but it’s the first line.

2. Technical controls. The backstop. USB storage should be blocked by default on CUI systems (3.8.7), so even if someone ignores training and tries to plug in an unknown drive, the system prevents it. The technical control catches what training misses.

Additionally, every approved storage device in your environment should have an identifiable owner — tracked in your media inventory with a name attached. A USB drive in a drawer with no label and no record of who it belongs to violates this requirement even if it’s not “found.”

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is use of unidentified portable storage prohibited?	Policy documented; training covers the risk; technical controls block unknown devices; found media reporting procedure exists; all approved devices have identified owners

---

What to Have Ready on Assessment Day

Documents they’ll review: Media protection policy; security awareness training content showing USB attack coverage; Intune/GPO configuration blocking USB; found media reporting procedure; media inventory with owner assignments

People they’ll talk to: General staff (to confirm they’ve been trained on this); information security personnel; system administrators

Live demos they’ll ask for: “What happens if someone finds a USB drive?” “Show me the training module that covers this.” “Try plugging in an unknown USB — what happens?” “Show me your media inventory — does every device have an owner?”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “What happens if an employee finds a USB drive with no owner?”
• “Does your training cover USB attack vectors? Show me the content.”
• “Are technical controls in place to prevent use of unknown devices?”
• “Show me your media inventory — does every storage device have an identified owner?”
• “Has this situation ever occurred? How was it handled?”

Real-World Example

A defense contractor’s annual security awareness training includes a specific module on USB attack vectors — covering the “parking lot drop,” “USB baiting,” and the risk of plugging in any unknown device. The training instructs employees: don’t connect it, report it to the IT Security Lead immediately. Found devices are handled on an isolated, non-networked workstation by the IT Security Lead. Meanwhile, USB storage is blocked on all CUI workstations via Intune (3.8.7), so even if someone ignored the training, the device wouldn’t mount. The media inventory lists three approved USB drives — each with an assigned owner, serial number, and business purpose. The assessor asks a random employee: “What would you do if you found a USB drive?” The employee answers correctly. The assessor checks: training completion records include the USB module, Intune blocks an unknown device, and all three approved drives have documented owners.

---

Where Companies Trip Up

No training coverage. Security awareness training covers phishing but never mentions USB attacks. Add a dedicated section on found media and USB social engineering.

Found media plugged in. An employee finds a USB and connects it “to see whose it is.” Training is the first defense; technical blocking (3.8.7) is the backstop. You need both.

Untracked devices. USB drives exist in the office with no identified owner. Every storage device should be in the media inventory with an owner assigned. Unattributed devices should be treated as potential threats and handled by security.

No reporting procedure. Employees know not to plug it in but don’t know what to do instead. Define the procedure: report to IT security, don’t connect, don’t discard.

---

How to Talk About This

To a CEO or Board

Staff are trained never to plug in unknown media — and our technical controls block it even if they try. Every approved storage device has an identified owner. Found devices go to IT security for safe handling.

To an Engineering Team

Training: annual USB attack module in KnowBe4. Technical: USB storage blocked via Intune (3.8.7). Found media procedure: report to IT Security Lead → handled on isolated non-networked workstation. Media inventory: all approved devices have serial number + owner. Unattributed devices treated as potential threats.

---

Connected Requirements

Requirement	Why it matters here
3.8.7 — Control Removable Media	Technical controls that block unknown USB devices
3.2.1 — Train Everyone	Training that covers USB attack risks
3.14.5 — Scan Regularly	Real-time scanning if removable media is connected

---

Implementation

🔒

Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.

Start a conversation →

---

CMMC Practice ID: MP.L2-3.8.8 | SPRS Weight: 3 points | POA&M Eligible: No