Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization prohibits the use of portable storage devices in organizational information systems when such devices have no identifiable owner.
NIST 800-53 (r4) Supplemental Guidance:
Requiring identifiable owners (e.g., individuals, organizations, or projects) for portable storage devices reduces the risk of using such technologies by allowing organizations to assign responsibility and accountability for addressing known vulnerabilities in the devices (e.g., malicious code insertion). Related control: PL-4.
References: FIPS Publication 199; NIST Special Publication 800-111.
NIST 800-53 (r5) Discussion: None
38North Guidance:
Meets Minimum Requirement:
There is a policy in place to prohibit the use of portable media devices with unknown or untrusted owners
There are procedures or tools in place to ensure that the use of unauthorized or unidentifiable storage devices is detected and blocked
Best Practice:
TBD
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Network Access Control (NAC) security policies and procedures
Security policy prohibiting the use of portable media without confirming the identify of the owner(s)
CSP Implementation Tips:
Amazon Web Services (AWS): Fully Inherited
Microsoft Azure: Fully Inherited
Google Cloud Platform: Fully Inherited
Page updated
Report abuse