Organisations should treat USB use as a governed transfer workflow, not a user convenience. Enforce encryption at write time, separate decryption keys from the device, inspect file content before copying, and log every authorisation, mount, and sanitisation event so CMMC evidence is available during assessment.
Why This Matters for Security Teams
USB control in air-gapped environments is really about controlling a high-trust data transfer path, not just blocking removable media. For CUI, the risk is not only malware introduction, but also unauthorized data exfiltration, weak chain of custody, and incomplete evidence when auditors ask how transfers were approved, inspected, and sanitized. NIST’s NIST Cybersecurity Framework 2.0 reinforces that asset handling and monitoring must be deliberate, repeatable, and measurable.
In practice, the control objective is to make every transfer explainable: who approved it, what was copied, how it was scanned, where the device was stored, and when it was wiped or destroyed. That aligns with the broader NHI discipline described in Ultimate Guide to NHIs — Standards, where privileged access paths must be treated as governed workflows rather than informal exceptions. Air gaps reduce exposure, but they do not remove insider risk, removable-media malware, or shadow transfer behaviour. In practice, many security teams discover USB misuse only after an audit gap or a contamination event has already forced a recovery effort.
How It Works in Practice
A workable USB control model starts with policy, not hardware. Organisations should define which systems may ever touch removable media, which file types are allowed, who can approve transfers, and whether the device is one-way, encrypted, or single-use. The strongest pattern is a governed transfer station outside the protected enclave, where files are staged, scanned, and logged before being moved into the air-gapped segment.
At the device level, controls usually include enforced encryption, device allowlisting, auto-mount disablement, and role-based approval for write access. Decryption keys should remain separate from the USB device so possession alone does not equal access. Content inspection should happen before copy, not after the fact, and should include malware scanning, file integrity checks, and review for prohibited data classes. Logging matters just as much as prevention: every mount, approval, copy, sanitisation, and rejection event should be retained as assessment evidence.
Practitioner teams often pair these controls with a transfer workflow tied to DeepSeek breach lessons about how quickly exposed credentials and ungoverned data can be abused, even when systems appear isolated. For a broader control baseline, the NIST Cybersecurity Framework 2.0 is useful for mapping protection and monitoring expectations to transfer custody. These controls tend to break down when local engineers keep “temporary” exception devices outside the approval process because the enclave lacks a fast enough transfer path.
Common Variations and Edge Cases
Tighter USB control often increases operational friction, so organisations have to balance mission speed against contamination risk and evidence quality. That tradeoff is real in lab, OT, and defense environments where air-gapped systems still need periodic patching, model updates, or data import from outside networks.
Best practice is evolving on whether all removable media should be banned or whether tightly governed, encrypted media is acceptable for specific workflows. There is no universal standard for this yet, but current guidance generally favours approved-device lists, one-way transfer where possible, and separate procedures for inbound and outbound media. The stronger the sensitivity of CUI, the less defensible it is to allow generic thumb drives or ad hoc copying.
Edge cases also include emergency maintenance, vendor support, and evidence collection after an incident. In those situations, organisations should pre-stage break-glass procedures, time-box approvals, and require post-use sanitisation or physical destruction. If the enclave cannot produce immutable logs for each transfer step, auditors will usually treat the process as weak regardless of whether malware was detected. The real failure mode is not the USB device itself, but the absence of a repeatable custody process that survives staff turnover and incident pressure.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST AI RMF set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AA | USB transfer workflows depend on controlled asset access and accountability. |
| OWASP Non-Human Identity Top 10 | NHI-03 | USB workflows often expose secrets and credentials during offline transfers. |
| NIST AI RMF | CUI transfer decisions need governed, documented risk handling and monitoring. |
Apply AI RMF-style governance discipline to define ownership, review, and evidence for high-risk transfer actions.
Related resources from NHI Mgmt Group
- How should organisations evaluate compliance monitoring tools for regulated data environments?
- How should organisations use data observability for AI reliability and audit readiness?
- How should organisations govern DNS changes in managed environments?
- What breaks when organisations use RBAC for every privileged action?
