TL;DR: CMMC enforcement under the new 48 CFR rules makes proof of control mandatory for organizations handling CUI and FCI, and air-gapped operations still depend on USB transfer paths that must be encrypted, monitored, and auditable according to Netwrix. Compliance now hinges on whether data movement can be demonstrated, not merely documented.
NHIMG editorial — based on content published by Netwrix: CMMC compliance and the critical role of MDM-style USB control in protecting CUI
By the numbers:
- When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes , and as quickly as 9 minutes in some cases.
Questions worth separating out
Q: How should organisations control USB use for CUI in air-gapped environments?
A: Organisations should treat USB use as a governed transfer workflow, not a user convenience.
Q: Why do removable media controls matter so much for CMMC compliance?
A: Removable media often becomes the only practical bridge across isolated systems, so it is a direct compliance boundary.
Q: What breaks when USB encryption is not tied to central key management?
A: Encryption becomes a false control if the same local user or device can still decrypt data after it leaves the workstation.
Practitioner guidance
- Tie USB access to centrally managed encryption keys Separate decryption authority from the removable device so access can be revoked without recovering the physical media.
- Apply content-aware blocking for CUI patterns Inspect file content and metadata before write operations to removable media so that CUI cannot be copied out in plaintext by accident.
- Build removable-media evidence into CMMC assessments Preserve logs for encryption enforcement, file tracing, device authorisation, and sanitisation so assessors can verify control effectiveness.
What's in the full article
Netwrix's full blog covers the operational detail this post intentionally leaves for the source:
- Step-by-step USB encryption and key separation mechanics for controlled environments.
- Specific examples of file tracing, shadowing, and content-aware protection rules used to detect CUI movement.
- How remote sanitisation and purge workflows map to NIST 800-88 expectations.
- The endpoint and DSPM control split that supports broader CMMC evidence collection.
👉 Read Netwrix's analysis of CMMC compliance and USB control for CUI →
CMMC compliance and USB control: what changes for CUI teams?
Explore further
CMMC has turned removable media governance into an identity and evidence problem. The shift to 48 CFR enforcement means organisations are judged on whether controls can be proven, not whether they are merely written down. In air-gapped programmes, USB workflows are now part of the compliance boundary, so device control, key control, and auditability must be managed together. Practitioners should treat removable media as governed infrastructure, not convenience storage.
A few things that frame the scale:
- Two-thirds of enterprises have endured a successful cyberattack resulting from compromised non-human identities, with a quarter encountering multiple attacks, according to the 2024 ESG Report: Managing Non-Human Identities.
- The same research found that 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, including 46% confirmed cases and 26% suspected cases.
A question worth separating out:
Q: Who is accountable when CUI is moved to an unencrypted or unauthorised USB device?
A: Accountability sits with the organisation that owns the control environment, because CMMC is proof-based rather than trust-based. Security, IAM, endpoint, and compliance teams must jointly show that access, transfer, and sanitisation controls were enforced before the data left the boundary.
👉 Read our full editorial: CMMC compliance and USB control in air-gapped CUI workflows