How to Comply with CMMC AC.2.006 Limit Use of Portable Storage Devices on External Systems

One of the first steps to being CMMC compliant is following the portable storage compliance policy, A.K.A CMMC AC.2.006.

When it comes to CMMC compliance, controlling all of your data is absolutely critical – but also extremely difficult. 

Whether you’re a small business or a large organization, there are several security measures that you’ll need to implement. One of the first policies being – limiting use of portable storage devices on external systems, A.K.A. CMMC AC.2.006.

What is CMMC AC.2.006?

Before diving in, check out our blog: Understanding the CMMC 2.0 Framework to gain a foundation understanding of CMMC. 

As for CMMC AC.2.006, this is a user policy document that outlines your organization’s portable storage device policies. Portable storage devices can range from thumb drives to external hard drives, and even CDs. 

Why do portable storage devices need a policy?

While locking down CDs sounds strict, any device that can store data could contain sensitive data such as Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). If this data is leaked via portable devices, they could travel outside of the organization’s premises and be impossible to track. 

Additionally, portable storage devices entering the facility could contain malicious software that could unknowingly take over your entire organization in seconds.

[How To] Limit Use of Portable Storage Devices

We’re in the 21st century – limiting CDs and external hard drives seems simple. However, think of how many employees have access to flash drives, or how many visitors enter the premises and potentially have CDs, DVDs, or any other storage device – seems impossible to control, right? 

Fortunately, there are three ways that you can limit the use of portable storage devices: 

  1. Adopting Group Policy in domain environments
  2. Using registry editor
  3. Taking on a third-party software

1. Adopting Group Policy in Domain Environments

If you’re in a domain environment, whoever manages your server admin (Shameless plug: or IT experts like Omnis Technologies) should be able to configure the Group Policy (GPO) for your organization. 

If you don’t have access or the ability to get IT services, you can do it yourself. It’s easier than you may think. To access the Group Policy, follow these steps

Step One: Push the start menu (bottom left, the Windows icon). Enter “Group Policy Management” into the search bar and click ‘enter’.

Step Two: If ‘Forest…’ doesn’t pop-up automatically, click ‘Group Policy Management’ and you should see the subfolder. If ‘Forest…’ is already showing, click that subfolder.

Step Three: The ‘Domains’ subfolder should appear, click there. Several domains may appear. If they do, click the domain you want to enforce this policy on.

Step Four: Click the next subfolder ‘Domain Controllers’ and right-click on the ‘Default Domain Controllers Policy’, then click ‘Edit’. The Group Policy Management Editor should open.

Step Five: This step is going to involve expanding multiple subfolders. Expand the following: 

‘Computer Configuration’ > ‘Policies’ > ‘Administrative Templates’ > ‘System’ > ‘Removable Storage Access’

Step Six: In the extended pane on the right of the ‘Removable Storage Access’ subfolder, you’ll find ‘All Removable Storage Classes: Deny All Access’ – right-click on this. 

Step Seven: The configuration window for ‘All Removable Storage Classes: Deny All Classes’ should open. On the left side, select ‘Enabled’, then ‘Apply’ in the bottom right, then ‘OK’ to close the window.

2. Using Registry Editor

If you’re not in a domain environment, chances are you have a local Windows policy setup. If you have IT, they should be able to configure this policy (Another shameless plug, Omnis Tech, a CMMC consultant is always willing to help out).  

Similar to Group Policy environments, the policy states “All Removable Storage Classes: Deny All Access.” The difference is, the following steps need to be applied to each machine individually.

If you don’t have access to IT services, follow these steps: 

Step One: Push the start menu (bottom left, the Windows icon). Enter “Registry Editor” into the search bar and right-click this button to ‘Run as Administrator.’

Step Two: Expand the following subfolders: 

‘HKEY_LOCAL_MACHINE’ > ‘SOFTWARE’ > ‘Policies’ > ‘Microsoft’ 

Step Three: A ‘Windows’ subfolder should appear, right-click on this. A menu should appear, select ‘New’, then ‘Key’. You can now name this key “RemovableStorageDevices” for example.

Step Four: Right-click on your newly-created key. Hover over ‘New’, select ‘DWORD (32-bit) Value’. Name this ‘DenyAll’. 

Step Five: Right-click on the new ‘DenyAll’ string and change the value data from ‘0’ to ‘1’. Click ‘OK.’ Close out the registry editor. 

3. Taking on a Third-Party Software

If following the steps above is too overwhelming, taking on a third-party software is an alternative. Keep in mind, while the third-party software is slightly easier than following the steps, it’s still extremely time-consuming and resource intensive

While there are many software options available, we have experience partnering with WatchGuard Technologies.

Implementing & Applying CMMC Compliances

Keeping your data confidential is crucial, but controlling this is not an easy task. No matter the size of your organization, having security measures in place to meet CMMC compliances is necessary. 

With CMMC AC.2.006, the focus is on limiting use of portable storage devices on external systems, but that’s only one of hundreds of policies to follow.

Ready to Get Started? Talk to a CMMC Consultant

At Omnis Technologies, our priority as a CMMC consultant is your cybersecurity. We have 20+ years of experience working with clients just like yourself.

Don’t waste your time and resources on figuring out the best software to install or on configuring policies. Reach out to us and let us worry about being compliant. 

Similar posts