CMMC compliance and USB control: what changes for CUI teams?

TL;DR: CMMC enforcement under the new 48 CFR rules makes proof of control mandatory for organizations handling CUI and FCI, and air-gapped operations still depend on USB transfer paths that must be encrypted, monitored, and auditable according to Netwrix. Compliance now hinges on whether data movement can be demonstrated, not merely documented.

NHIMG editorial — based on content published by Netwrix: CMMC compliance and the critical role of MDM-style USB control in protecting CUI

By the numbers:

• When AWS credentials are exposed publicly, attackers attempt access within an average of 17 minutes , and as quickly as 9 minutes in some cases.

Questions worth separating out

Q: How should organisations control USB use for CUI in air-gapped environments?

A: Organisations should treat USB use as a governed transfer workflow, not a user convenience.

Q: Why do removable media controls matter so much for CMMC compliance?

A: Removable media often becomes the only practical bridge across isolated systems, so it is a direct compliance boundary.

Q: What breaks when USB encryption is not tied to central key management?

A: Encryption becomes a false control if the same local user or device can still decrypt data after it leaves the workstation.

Practitioner guidance

• Tie USB access to centrally managed encryption keys Separate decryption authority from the removable device so access can be revoked without recovering the physical media.
• Apply content-aware blocking for CUI patterns Inspect file content and metadata before write operations to removable media so that CUI cannot be copied out in plaintext by accident.
• Build removable-media evidence into CMMC assessments Preserve logs for encryption enforcement, file tracing, device authorisation, and sanitisation so assessors can verify control effectiveness.

What's in the full article

Netwrix's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step USB encryption and key separation mechanics for controlled environments.
• Specific examples of file tracing, shadowing, and content-aware protection rules used to detect CUI movement.
• How remote sanitisation and purge workflows map to NIST 800-88 expectations.
• The endpoint and DSPM control split that supports broader CMMC evidence collection.

👉 Read Netwrix's analysis of CMMC compliance and USB control for CUI →

CMMC compliance and USB control: what changes for CUI teams?

Explore further

View Full Forum →  |  NHI Foundation Course →