Home/Resources/Agents/Removable Media Auditor
Data Protection

Removable Media Auditor

Pulls forensic-grade USB history from the registry, then proves storage is blocked or required to be encrypted.

Covered practices · NIST SP 800-171 Rev 2
3.8.7Control use of removable mediaPrimary3.8.6Cryptographic protection of CUI on portable mediaPrimary3.8.5Control access to media and accountability3.8.8Identifiable-owner requirement3.8.3Sanitize media before reuse
100%
Coverage of USB device history from registry per host

The problem

3.8 is one of the simpler 800-171 control families and one of the most consistently failed. USB is universal, USB blocking is uncommon outside well-funded environments, and the procedural side of media sanitization is rarely documented to assessor satisfaction. Most contractors fail at least 3.8.7 (control of removable media) on first scan and never close it before assessment.

USB device history is interesting because Windows records it permanently. Every USB storage device ever plugged into a Windows host since installation appears in HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR with vendor, product, and serial number. setupapi.dev.log adds the timestamp. The inventory is forensic-grade and already on every Windows host, it just has to be retrieved and reviewed, which most contractors never do.

Printers belong in this audit even though they are not removable in the conventional sense. Printer internal storage holds the last 20 to 100 print jobs in plaintext. The hard drive is physically removable. C3PAOs have flagged unencrypted printer drives as CUI exposure in actual assessments, so the technical surface for 3.8 includes them and the SSP must too.

What CMMC requires

NIST SP 800-171 Rev 2 controls this agent verifies. Primary mappings drive the gap assessment; secondary mappings provide supporting evidence in the SSP.

Primary mapping
NIST 3.8.7Control use of removable media

Verifies the technical mechanism for blocking unauthorized USB storage exists,module blacklists, USBSTOR Start=4, USBGuard, or device installation restrictions.

Read in NIST 800-171 r2
NIST 3.8.6Cryptographic protection of CUI on portable media

Confirms BitLocker To Go is required (Windows) or an equivalent mechanism enforces encryption before CUI can be written to removable media.

Read in NIST 800-171 r2
Secondary mapping
NIST 3.8.5Control access to media and accountability

Produces the removable media inventory the SSP requires,every USB device ever connected, with vendor, product, and serial.

Read in NIST 800-171 r2
NIST 3.8.8Identifiable-owner requirement

Detects USB devices with no serial number,cannot be tracked individually, fail accountability under 3.8.8.

Read in NIST 800-171 r2
NIST 3.8.3Sanitize media before reuse

Verifies a sanitization tool is installed on the host. The procedural side (documented procedure) requires manual review.

Read in NIST 800-171 r2

How it works

Per-platform detection logic. The agent runs unprivileged where possible and falls back gracefully when raw access is unavailable.

Linux

Parses udevadm info --export-db and /run/udev/data/ for USB mass storage device history. Reads /sys/bus/usb/devices/ for currently connected USB devices including idVendor, idProduct, manufacturer, and product. Greps journalctl -k for usb-storage, Mass Storage, and SCSI device entries to reconstruct plug-in history. Checks /etc/modprobe.d/ for blacklist usb-storage or install usb-storage /bin/false, and detects USBGuard via systemctl is-active usbguard with full rule enumeration.

Windows

Reads HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR for the full history of every USB storage device with VID, PID, and serial. Parses C:\Windows\INF\setupapi.dev.log for first-connection timestamps. Checks USBSTOR\Start (4=blocked, 3/2=accessible). Reads HKLM\SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices Deny_Write keys and FVE policies for BitLocker To Go enforcement, so encryption-on-write requirements get measured and reported.

macOS

Runs system_profiler SPUSBDataType -json for currently connected USB devices and queries log show --predicate 'subsystem == "com.apple.DiskManagement"' for recent disk mount and unmount events. Returns the same structured device inventory format as Linux and Windows so cross-platform fleets produce a single reportable artifact.

What it finds

Concrete findings written to the assessor's mental model,not abstract categories. Severity drives POA&M priority and SPRS deduction.

  • HIGH
    USB storage accessible on Windows
    USBSTOR\Start = 3 or 2,USB storage devices can be inserted and used. No deny-by-default control.
  • HIGH
    No USBGuard or kernel module blacklist on Linux
    usb-storage module not blacklisted and USBGuard not running. Any USB storage device that gets plugged in is mountable.
  • HIGH
    BitLocker To Go not required
    FVE policy does not require encryption before write to removable media. Unencrypted USB drives can be written with CUI.
  • HIGH
    No encrypted USB enforcement mechanism
    No technical control prevents an unencrypted USB device from being used for CUI. Procedural-only enforcement fails 3.8.6.
  • MEDIUM
    USB device with no serial number
    Connected device exposes no serial in the USB descriptor. Cannot be individually tracked,fails 3.8.8 identifiable-owner requirement.
  • MEDIUM
    No sanitization tool installed
    No shred, wipe, srm, nwipe, sdelete, or equivalent. 3.8.3 sanitization-before-disposal cannot be performed at the host.
  • MEDIUM
    Printer hard drive not in media inventory
    Printer detected by network scan does not appear in any documented media asset list. Internal storage is removable and often holds CUI.
SPRS impact

3.8.7 and 3.8.6 are 3-point and 3-point controls respectively. 3.8.5 is 3 points. A contractor with USB unrestricted, no encryption requirement, and no inventory loses 9 points across the family on first scan, and remediates most of it with a Group Policy push or a single modprobe.d file. Printer hard drives surfacing as undocumented media commonly add another 3 points on 3.8.1, all of it discoverable inside a single scan window the contractor can close before the assessment.

How it hooks into the platform

USBSTOR registry, udev history, and current-connection state are pulled from each host on a cadence the platform sets, with no operator action. You decide whether per-host device history stays on-prem (often the right choice given how identifying the data is) or syncs up. The removable_media_inventory array populates the SSP's 3.8.5 media asset section with every device, vendor, model, serial, and first/last seen. POA&M items open per host with the blocking mechanism for 3.8.7 and 3.8.6. Printer findings from the network scanner cross-reference here to flag undocumented printer drives.

How we know it's working

Acceptance criteria from the engineering spec,what the agent must do to ship.

  • Pulls full forensic USB history from the Windows registry per host
  • Detects USBGuard policy and rule set on Linux without elevation
  • Identifies both blacklist and install /bin/false udev blocking idioms
  • Returns a structured removable_media_inventory artifact for every host
  • Cross-references printer findings from the network scanner automatically
  • Reads USBSTOR\Start values 2, 3, and 4 with correct semantic mapping
  • Flags USB devices that expose no serial as 3.8.8 accountability findings
Other agents in Data Protection
Data Protection

Email Security Auditor

Probes 16 DKIM selectors, four RBLs, and the live STARTTLS handshake for every contractor domain in scope.

Run this agent against your environment.

Book a 30-minute scoping call. We'll deploy the agent on your systems and walk through the findings together.

Book a Scoping Call →