TL;DR: Controlled Unclassified Information can still leave through unencrypted USBs, shadow printing, and Bluetooth transfers even after discovery, which is why Netwrix’s webinar frames endpoint enforcement, device control, and data movement monitoring as core CMMC compliance issues. The practical lesson is that classification without device-level control leaves a measurable enforcement gap.
At a glance
What this is: This on-demand webinar focuses on protecting Controlled Unclassified Information with endpoint encryption, device controls, and data movement monitoring, and its key finding is that unmanaged endpoints remain a compliance blind spot.
Why it matters: It matters because IAM and security teams cannot treat CMMC readiness as a paperwork exercise when USBs, printers, and Bluetooth channels can bypass policy enforcement across NHI, autonomous, and human-operated environments.
👉 Watch Netwrix's on-demand webinar on CUI endpoint protection and CMMC compliance
Context
Controlled Unclassified Information is only as protected as the endpoints it can reach. In CMMC programmes, the gap is often not classification but enforcement: unmanaged devices, weak encryption, and uncontrolled transfer paths let sensitive data move outside the guardrails that policy assumes exist. This is a governance problem as much as a technical one.
The webinar centres on endpoint controls because that is where policy meets reality. If organisations cannot see file movement, control removable media, or distinguish trusted from unmanaged devices, then CUI protection becomes an aspiration rather than an auditable control set.
Key questions
Q: How should security teams prevent CUI from leaving through unmanaged endpoints?
A: They should combine encryption, device control, and monitoring rather than relying on classification alone. CUI can still move through USBs, printers, and Bluetooth if the endpoint is not trusted, so the control set must enforce policy at the point of transfer and generate evidence for audit and incident review.
Q: Why do unmanaged USBs and printers create CMMC compliance risk?
A: Because they create alternate exfiltration paths that often sit outside the controls organisations monitor most closely. If removable media, print paths, or wireless peripherals are not bound to device trust and logging, sensitive data can leave the environment without triggering the main security stack.
Q: What signals show that endpoint controls for CUI are not working?
A: Look for unencrypted media use, file transfers to unmanaged devices, and the absence of reliable logs for copy, print, and Bluetooth activity. If you cannot reconstruct where CUI went, the control set is not providing auditable protection.
Q: Who is accountable when CUI is lost through endpoint channels?
A: Accountability sits with the programme owners responsible for endpoint enforcement, data protection, and audit readiness, not just with end users. If device rules are too broad or visibility is too weak, the failure is governance level as well as operational.
Background and context
Endpoint encryption for removable media
AES-256 software-based encryption protects data at rest on portable media, but the control only matters when it is consistently enforced across devices and users. In practice, endpoint encryption must be paired with device trust decisions, because encrypted media can still be misused if access is not limited to authorised systems and workflows. The technical issue is not whether encryption exists, but whether it is mandatory at the point of use and tied to policy-compliant endpoints.
Practical implication: require enforced encryption for removable media and verify that policy cannot be bypassed on unmanaged endpoints.
Granular device control for USB, printers, and Bluetooth
Granular device control is the ability to allow, restrict, or block specific endpoint channels rather than treating all peripherals as equal. USB storage, printers, and Bluetooth each create different exfiltration paths, so a one-size-fits-all rule set leaves gaps that attackers and insiders can exploit. Content-aware controls matter because the same device can be harmless for one workflow and risky for another, depending on the data being moved and the endpoint state.
Practical implication: segment endpoint rules by device class and trust level so unmanaged peripherals do not become blanket data exits.
File shadowing and cross-platform visibility
File shadowing records what is being copied, printed, or transferred, giving security teams an evidence trail for data movement across endpoints. Cross-platform visibility matters because CUI exposure is rarely confined to a single operating system or device type. Without that telemetry, organisations cannot reliably investigate transfers, prove enforcement, or distinguish authorised handling from policy drift. Visibility is the control that turns endpoint policy into something auditable.
Practical implication: enable file shadowing and logging across platforms so endpoint activity can be investigated and certified.
NHI Mgmt Group analysis
CUI protection fails when endpoint policy stops at discovery and never reaches enforcement. Classification tells you what data matters, but unmanaged devices determine whether the data can still leave the environment. The control gap is not awareness, it is the absence of technical guardrails on the channels people actually use. Practitioners should treat enforcement as the real boundary of CMMC readiness.
Unencrypted removable media remains the simplest proof that governance and device control are still misaligned. If USBs can be used outside software-based encryption and trusted device rules, then the organisation has not reduced the exfiltration surface. This is a classic NHI-style trust problem applied to endpoints: policy says the channel is controlled, but the device state says otherwise. Practitioners should assume removable media is a live risk until controls prove otherwise.
Shadow printing and Bluetooth transfers are not edge cases, they are alternate data movement paths that bypass mainstream monitoring. Security programmes often instrument email and cloud storage while leaving peripheral channels under-governed. That creates blind spots that adversaries do not need to defeat, only route around. Practitioners should re-evaluate whether their data loss controls cover the full endpoint surface or just the most visible paths.
Granular device trust is the named control gap this webinar exposes. The issue is not a lack of CMMC language or endpoint tooling in general, but the failure to make trust decisions specific enough to block unmanaged devices while preserving legitimate workflows. That gap shows up whenever policy is broad but enforcement is channel-specific. Practitioners should map trust rules to device class, data type, and endpoint posture.
From our research:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
- For related governance guidance: Review Ultimate Guide to NHIs, Lifecycle Processes for Managing NHIs to connect endpoint enforcement with lifecycle control.
What this signals
Granular device trust is becoming the real boundary for CUI governance. Endpoint programmes that still rely on broad allow or deny rules will struggle to prove control over removable media, print paths, and wireless transfer channels. For practitioners, that means policy design must be paired with device-state enforcement and evidence capture, not just security awareness.
The operational question is whether CMMC controls can survive outside the managed laptop. If the answer is no, the programme still depends on assumptions about device ownership, encryption state, and user behaviour that attackers can route around. Teams should be checking where endpoint policy breaks when a file leaves the standard workspace.
For practitioners
- Enforce encryption on removable media Require AES-256 software-based encryption for any USB device that can carry CUI, and block write access until the device is validated as trusted.
- Restrict peripheral channels by trust level Apply separate rules for USB storage, printers, and Bluetooth so unmanaged devices cannot use the same permissions as managed endpoints.
- Turn on file shadowing for investigations Capture copy, print, and transfer activity across endpoints so policy violations can be reconstructed after the fact.
- Align DLP with endpoint posture Use content-aware DLP to distinguish CUI from ordinary files and combine it with device state checks before allowing movement.
Key takeaways
- CUI protection breaks down when endpoint governance does not extend beyond classification into actual transfer control.
- Unmanaged USBs, printers, and Bluetooth paths create compliance exposure even when the data itself is well understood.
- Security teams need auditable encryption, device trust rules, and file-level visibility to make CMMC-style controls enforceable.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.DS-1 | CUI encryption and data protection map directly to protected data handling on endpoints. |
| NIST CSF 2.0 | PR.AC-4 | Granular device access decisions align with least-privilege enforcement on endpoints. |
| OWASP Non-Human Identity Top 10 | NHI-03 | Channel and credential governance overlap when endpoint access depends on unmanaged secrets or tokens. |
Map endpoint encryption and transfer controls to PR.DS-1 and verify they cover removable media.
Key terms
- Controlled Unclassified Information: Controlled Unclassified Information is sensitive government-related information that is not classified but still requires controlled handling. In practice, it needs policy enforcement, auditability, and channel restrictions so it cannot move through unmanaged endpoints or informal transfer paths without detection.
- Content-Aware Dlp: Content-aware DLP is a data protection control that inspects what a file contains before allowing it to move, print, or leave a device. It matters because endpoint policy should respond differently to ordinary files and protected information such as CUI, especially where transfer channels are diverse.
- Trusted Device Model: A trusted device model limits sensitive actions to endpoints that meet defined security conditions such as encryption, management status, and policy compliance. The model is only effective when trust is checked at the point of transfer, not assumed from user role or network location alone.
Deepen your knowledge
CUI endpoint control and device trust are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building a governance programme that must survive unmanaged devices, it is worth exploring.
This post draws on content published by Netwrix: Protect CUI: Enforce USB Encryption, Control Access, and Monitor Data Movement Compliance. Read the original.
Published by the NHIMG editorial team on 2026-05-26.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
