Nine removable media controls across four NIST families, with 39 SPRS points at stake. Here is what your System Security Plan (SSP) needs to address.
Overview
Many Cybersecurity Maturity Model Certification (CMMC) preparation guides approach removable media as if it were a policy question. If your organization stores, processes, or creates controlled unclassified information (CUI), ban the use of USB ports and USB devices and move on.
A cross-organizational ban may work if removable devices are an optional part in your operations. It does not work if you depend on removable media to manage air-gapped systems, support field operations, maintain industrial control systems, or exchange data with supply chain partners through physical media.
CMMC Level 2 includes at least nine controls that govern or materially affect how removable media is used, scanned, tracked, and discarded. USB security and compliance controls span four NIST SP 800-171 families:
- Media Protection
- System and Information Integrity
- Configuration Management
- Maintenance
They carry a combined Supplier Performance Risk System (SPRS) weight of 39 points.
In this guide, we map the controls and their scoring risk, then show how TYREX Decontamination Stations can help your organization achieve CMMC compliance for removable device security.
USB Security: CMMC Controls
The table below lists NIST SP 800-171 Rev 2 controls relevant to removable media, organized by SPRS point weight. Auditors assess NIST controls in accordance with the CMMC Level 2 Assessment Guide, where every determination statement under each control must be satisfied for a “MET” score.
| NIST Control |
Requirement |
SPRS Points |
Key Requirements for Removable Media |
| 3.8.7 |
Control use of removable media |
5 |
Restrict or prohibit media types; maintain an allowlist of approved devices; block unauthorized ports; implement technical and policy controls against malicious code introduction/td>
|
| 3.8.3 |
Sanitize or destroy media before disposal or reuse
|
5 |
Follow NIST SP 800-88 sanitization guidance. A standard overwrite does not satisfy Purge requirements for flash or SSD media due to wear-leveling and over-provisioned storage; cryptographic erasure is conditionally acceptable; for highest assurance, use dedicated device sanitize commands per IEEE 2883 or physical destruction |
| 3.14.2 |
Provide malicious code protection at system entry points
|
5 |
Deploy malware detection at designated locations within organizational systems; maintain current signature definitions and reputation-based detection |
| 3.14.4 |
Update malicious code protection mechanisms |
5 |
Keep antivirus and antimalware engines and definitions current as new releases become available |
| 3.4.6 |
Employ the principle of least functionality |
5 |
Disable unnecessary USB ports; restrict device types; configure systems to provide only essential capabilities |
| 3.4.7 |
Restrict nonessential programs, functions, ports, protocols, and services |
5 |
Disable removable media drivers and USB access where not operationally required |
| 3.8.8 |
Prohibit portable storage with no identifiable owner |
3 |
Trace every device to an accountable owner; prohibit found or unknown devices from connecting to systems |
| 3.14.5 |
Perform periodic and real-time scans of files from external sources |
3 |
Scan files from removable media in real time as they are accessed, opened, or executed |
| 3.7.4 |
Check media containing diagnostic and test programs for malicious code |
3 |
Scan maintenance and diagnostic media before use on organizational systems |
The Scoring Risk
The nine controls total 39 SPRS points, which is more than a third of the maximum 110-point score. Under CMMC 2.0 (32 CFR §170.21), controls with point values greater than one cannot be placed on a Plan of Action and Milestones (POA&M), with one narrow exception for non-FIPS-validated encryption (SC.L2-3.13.11). All nine controls in the table above must be fully implemented at the time of assessment. None can be deferred.
With 39 points at stake, failure to address removable media risks makes achieving the conditional certification threshold of 88 points significantly more difficult, and likely impossible if multiple controls are scored as NOT MET.
How TYREX Addresses Each Control
Multi-Engine Scanning and BadUSB Detection
3.8.7, 3.14.2, 3.14.5, 3.7.4
TYREX Decontamination Stations scan removable devices before they connect to sensitive IT and OT systems. The stations run up to five antivirus engines simultaneously, plus two AI-powered antimalware engines that provide zero-day and advanced persistent threat detection.
TYREX’s scan-before-connect architecture can help organizations address 3.8.7’s requirement to control removable media use and 3.14.2’s malicious code protection requirement. It also supports 3.14.5’s requirement for real-time scanning of files from external sources. Maintenance and diagnostic media pass through the same workflow, covering 3.7.4.
TYREX stations also detect BadUSB and similar firmware attacks at the hardware level. BadUSB exploits operate below the file system, which means endpoint antivirus software cannot detect them. TYREX Decontamination Stations identify devices masquerading as a keyboard or other trusted peripheral before they can inject commands, helping to address high-severity attack vectors under 3.8.7 and 3.8.8 by catching devices that misrepresent their identity.
Device Certification and Endpoint Enforcement
3.8.7, 3.8.8, 3.4.6, 3.4.7
After scanning, TYREX Decontamination Stations can issue a time-limited certificate to the device. The Workstation Protect Agent, when installed on organizational endpoints, blocks any uncertified USB device.
For systems where software agents cannot be installed (legacy equipment, industrial controllers, locked-down workstations), TYREX Hardware Agent provides equivalent endpoint enforcement through a physical device that sits between the USB port and the host, requiring no software on the protected system.
The certification model aids with compliance with 3.4.6 (least functionality) and 3.4.7 (restrict nonessential ports) without disabling USB entirely. Every device that enters the environment is traceable through the scanning and certification process. The agent can only be deactivated with a security token, which prevents unauthorized bypass.
Media Sanitization
3.8.3
TYREX stations include wiping and sanitization capabilities for media disposal or reuse, directly supporting 3.8.3. For flash and SSD-based removable media, where standard overwrite methods cannot reach wear-leveled or over-provisioned storage regions, organizations can pair TYREX scanning with device sanitization per IEEE 2883 to support compliance with NIST SP 800-88 Rev 2 Purge and Destroy requirements.
Centralized Management, Audit Trail, and Air-Gapped Operation
3.14.4
The TYREX Management Server provides centralized administration of all deployed stations, including engine and definition update distribution. It directly supports control 3.14.4’s requirement to keep malicious code protection mechanisms current as new releases become available.
For air-gapped deployments, updates are loaded through approved removable media that have passed through the decontamination process.
The Management Server also provides centralized logging, PDF and CSV reporting, and security information and event management (SIEM) integration via Syslog API, providing the documentation trail that assessors require as evidence for media protection controls.
Next Steps
With Phase 2 C3PAO assessments beginning in November 2026, organizations seeking contracts that involve Controlled Unclassified Information (CUI) should prioritize identifying and closing removable media gaps.
TYREX USB decontamination solutions are deployed across more than 5,000 stations with over 350 organizations in defense, government, and critical infrastructure worldwide. To discuss how TYREX fits into your removable media security program, contact a
USB compliance specialist.
