Notifications
Clear all
Topic starter
09/06/2026 11:30 pm
TL;DR: Controlled Unclassified Information can still leave through unencrypted USBs, shadow printing, and Bluetooth transfers even after discovery, which is why Netwrix’s webinar frames endpoint enforcement, device control, and data movement monitoring as core CMMC compliance issues. The practical lesson is that classification without device-level control leaves a measurable enforcement gap.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams prevent CUI from leaving through unmanaged endpoints?
A: They should combine encryption, device control, and monitoring rather than relying on classification alone.
Q: Why do unmanaged USBs and printers create CMMC compliance risk?
A: Because they create alternate exfiltration paths that often sit outside the controls organisations monitor most closely.
Practitioner guidance
- Enforce encryption on removable media Require AES-256 software-based encryption for any USB device that can carry CUI, and block write access until the device is validated as trusted.
- Restrict peripheral channels by trust level Apply separate rules for USB storage, printers, and Bluetooth so unmanaged devices cannot use the same permissions as managed endpoints.
- Turn on file shadowing for investigations Capture copy, print, and transfer activity across endpoints so policy violations can be reconstructed after the fact.
What to expect at the briefing
Netwrix's full webinar covers the operational detail this post intentionally leaves for the source:
- How AES-256 software-based encryption is applied to endpoint devices in practice
- How granular device controls are configured for USB, printer, and Bluetooth access
- How content-aware DLP and file shadowing support investigation and audit evidence
- How trusted device models help distinguish managed from unmanaged endpoints
👉 Watch Netwrix's on-demand webinar on CUI endpoint protection and CMMC compliance →
CUI endpoint controls and CMMC compliance: are blind spots still open?
Explore further
10/06/2026 1:51 am
CUI protection fails when endpoint policy stops at discovery and never reaches enforcement. Classification tells you what data matters, but unmanaged devices determine whether the data can still leave the environment. The control gap is not awareness, it is the absence of technical guardrails on the channels people actually use. Practitioners should treat enforcement as the real boundary of CMMC readiness.
A few things that frame the scale:
- Only 20% have formal processes for offboarding and revoking API keys, and even fewer have procedures for rotating them, according to the Ultimate Guide to NHIs.
- 96% of organisations store secrets outside of secrets managers in vulnerable locations including code, config files, and CI/CD tools.
A question worth separating out:
Q: Who is accountable when CUI is lost through endpoint channels?
A: Accountability sits with the programme owners responsible for endpoint enforcement, data protection, and audit readiness, not just with end users. If device rules are too broad or visibility is too weak, the failure is governance level as well as operational.
👉 Read our full editorial: CUI endpoint controls show where CMMC compliance still breaks down
