CMMC compliance and USB control in air-gapped CUI workflows

At a glance

What this is: This is a compliance-focused analysis of how CMMC changes the security bar for CUI handling in air-gapped environments, with USB control and evidence of enforcement as the central finding.

Why it matters: It matters because IAM, NHI, and data security teams all have to prove who can move sensitive data, under what conditions, and with what audit evidence.

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes , and as quickly as 9 minutes in some cases.

👉 Read Netwrix's analysis of CMMC compliance and USB control for CUI

Context

CMMC compliance is no longer a documentation exercise for defence contractors handling Controlled Unclassified Information. The new 48 CFR enforcement framework turns control validation into a contract eligibility issue, which means organisations must prove that data protection mechanisms actually work in practice.

In air-gapped environments, the hardest problem is often removable media rather than network exposure. USB drives still bridge workstations, manufacturing systems, and external partners, so the control question becomes whether sensitive data remains encrypted, traceable, and revocable as it moves between trusted zones.

That is why this topic sits at the intersection of identity governance, endpoint control, and data security. The article’s starting position is typical for regulated environments that still depend on offline transfer paths.

Key questions

Q: How should organisations control USB use for CUI in air-gapped environments?

A: Organisations should treat USB use as a governed transfer workflow, not a user convenience. Enforce encryption at write time, separate decryption keys from the device, inspect file content before copying, and log every authorisation, mount, and sanitisation event so CMMC evidence is available during assessment.

Q: Why do removable media controls matter so much for CMMC compliance?

A: Removable media often becomes the only practical bridge across isolated systems, so it is a direct compliance boundary. If encryption, traceability, and revocation are weak, CUI can leave the environment without proof of control, which turns an operational shortcut into an audit and contract risk.

Q: What breaks when USB encryption is not tied to central key management?

A: Encryption becomes a false control if the same local user or device can still decrypt data after it leaves the workstation. Without central key management, revocation is unreliable, offsite devices remain readable, and you cannot demonstrate that access ended when policy says it did.

Q: Who is accountable when CUI is moved to an unencrypted or unauthorised USB device?

A: Accountability sits with the organisation that owns the control environment, because CMMC is proof-based rather than trust-based. Security, IAM, endpoint, and compliance teams must jointly show that access, transfer, and sanitisation controls were enforced before the data left the boundary.

Technical breakdown

Why USB encryption is now a compliance control, not just a convenience feature

CMMC and the underlying NIST 800-171 baseline treat data protection as something you must demonstrate, not assume. In air-gapped and restricted environments, USB drives become a controlled transfer mechanism, which means encryption has to be enforced at the point of use and validated with evidence. FIPS-validated encryption matters because unencrypted removable media creates a portable exposure path that undermines both confidentiality and assessability. The operational issue is not whether a USB can be used, but whether the data on it can leave the boundary in a state that still satisfies contract and audit requirements.

Practical implication: map removable-media controls to your compliance evidence set, not just your endpoint policy set.

MDM-style control for removable media

Treating USB drives like managed devices means the control plane is separated from the media itself. Encryption keys can be stored away from the device, access can be revoked centrally, and the drive can be rendered unreadable even if it remains physically in circulation. That is materially different from simple device blocking because it preserves productivity while keeping policy authority outside the endpoint. For regulated organisations, the architectural value is that the control survives the transfer event. In practice, this turns a removable device into an identity-bound access object rather than a free-floating storage medium.

Practical implication: design removable-media governance so key authority stays central even when devices move offsite.

How traceability and sanitisation close the audit gap

File tracing, content-aware protection, SIEM integration, and media sanitisation address the part of the problem that policies alone cannot solve: proving where sensitive data went and whether it can be removed later. In CMMC terms, this is evidence of control effectiveness, not just the existence of a control. Content-aware blocking reduces accidental transfer of CUI, while sanitisation and overwrite capabilities support secure disposal aligned to NIST 800-88. The broader pattern is that compliance depends on a visible data trail from creation to transfer to destruction.

Practical implication: require logs, content inspection, and sanitisation evidence as part of every removable-media workflow.

Threat narrative

Attacker objective: The attacker’s objective is to move sensitive CUI out of a controlled environment or make its handling non-compliant enough to threaten contract eligibility.

1. entry via removable media used to transfer CUI between isolated systems and partners, creating a governed but still exposed data path.
2. credential or policy abuse occurs when USB access is not tied to encryption enforcement, content inspection, or revocable key control.
3. impact is unauthorised disclosure or loss of CUI, plus audit failure when the organisation cannot prove control effectiveness.

Breaches seen in the wild

• ASP.NET machine keys RCE attack — 3,000+ exposed ASP.NET machine keys enabled remote code execution.
• DeepSeek breach — DeepSeek breach exposed 1M+ log lines and sensitive secret keys.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

CMMC has turned removable media governance into an identity and evidence problem. The shift to 48 CFR enforcement means organisations are judged on whether controls can be proven, not whether they are merely written down. In air-gapped programmes, USB workflows are now part of the compliance boundary, so device control, key control, and auditability must be managed together. Practitioners should treat removable media as governed infrastructure, not convenience storage.

Data movement controls are now a proxy for trustworthiness. When CUI has to cross isolation boundaries, the question is no longer whether the transfer is allowed, but whether the organisation can prove that access was constrained, encrypted, and recorded. That makes endpoint protection, DSPM, and IAM adjacent disciplines rather than separate silos. The implication is that CMMC readiness depends on joining those disciplines into one evidentiary chain.

MDM-style USB control is best understood as policy continuity across a physical boundary. The important shift is that governance authority stays with the organisation even after the device leaves the workstation. That breaks the old assumption that removable media can be left to local discretion once encryption is enabled. Practitioners should re-evaluate any model that treats endpoint policy as sufficient without central revocation and traceability.

Identity is the control plane behind data handling, even offline. Least privilege, access restriction, and revocation still matter when the transfer medium is a USB drive rather than a cloud endpoint. The relevant governance question is who can move what data, under which trust level, and with what proof. Practitioners should align removable-media governance to identity policy, not only to endpoint hardening.

From our research:

• Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to the 2024 ESG Report: Managing Non-Human Identities.
• The same research found that 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, including 46% confirmed cases and 26% suspected cases.
• For the governance angle behind these findings, see Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs for the lifecycle controls that reduce exposure.

What this signals

MDM-style USB control is really lifecycle control for removable media. Once you frame the problem that way, the focus shifts from device permissioning to issuance, revocation, sanitisation, and evidence retention. The organisations most exposed here are the ones that still treat offline transfer paths as exceptions instead of governed identity-adjacent workflows.

CMMC pressure will likely push more teams to join endpoint policy, IAM, and DSPM into a single operational view. That matters because removable media failures are usually not one-control problems. They are control-chain problems, and the chain only holds if every transfer step is visible and reversible.

The governance signal is clear: compliance programmes that cannot explain who moved CUI, when it was encrypted, and how it was later purged will struggle under assessment. For practitioners, the right next step is to align removable-media workflows with the same evidence discipline used for privileged access reviews and key revocation.

For practitioners

• Tie USB access to centrally managed encryption keys Separate decryption authority from the removable device so access can be revoked without recovering the physical media. Use distinct key custody, short-lived authorisation where possible, and audit trails that show when a device was encrypted, mounted, and revoked.
• Apply content-aware blocking for CUI patterns Inspect file content and metadata before write operations to removable media so that CUI cannot be copied out in plaintext by accident. Align the detection rules to the specific document types and labels used in your programmes, then test the block path against real user workflows.
• Build removable-media evidence into CMMC assessments Preserve logs for encryption enforcement, file tracing, device authorisation, and sanitisation so assessors can verify control effectiveness. Treat the evidence package as part of the control, not an afterthought, and review it against the contract level you are actually pursuing.
• Coordinate endpoint, IAM, and DSPM controls Use access data, file movement telemetry, and data discovery results together so governance does not stop at the workstation boundary. That gives you a single view of who can move regulated data, where it resides, and whether it can be removed or revoked when needed.
• Validate sanitisation and purge procedures for offsite devices Test remote wipe, overwrite, and purge workflows on real media so the control works after the USB leaves the office. Include evidence that the sanitisation method matches your regulatory retention and disposal obligations.

Key takeaways

• CMMC enforcement changes USB handling from a local IT preference into a contract-linked control requirement.
• Air-gapped environments still need removable-media governance because the data path, not the network, is the exposure point.
• The strongest controls combine encryption, central key authority, traceability, and sanitisation evidence.

Key terms

• Controlled Unclassified Information: Controlled Unclassified Information is sensitive government-related information that is not classified but still requires protection. In defence contracting, it often includes engineering, project, and technical data that must be handled under specific security obligations and verified controls.
• Removable Media Governance: Removable media governance is the set of policies, controls, and evidence that regulate how USB drives and similar devices are issued, encrypted, monitored, and revoked. It becomes especially important when offline transfer paths are unavoidable and data must remain auditable end to end.
• Proof-Based Compliance: Proof-based compliance means an organisation must demonstrate that a control operated effectively, not just say that a policy exists. In CMMC contexts, this requires logs, testing, and evidence that show data was protected, traced, and sanitised across the full workflow.
• Central Key Management: Central key management keeps encryption authority separate from the storage device so access can be controlled and revoked independently. For removable media, this prevents local possession of the drive from automatically becoming possession of the data.

Deepen your knowledge

NHI governance, machine identity security, and identity lifecycle management are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or governance maturity, it is worth exploring.

This post draws on content published by Netwrix: CMMC compliance and the critical role of MDM-style USB control in protecting CUI. Read the original.