Accountability sits with the organisation that owns the control environment, because CMMC is proof-based rather than trust-based. Security, IAM, endpoint, and compliance teams must jointly show that access, transfer, and sanitisation controls were enforced before the data left the boundary.
Why This Matters for Security Teams
When CUI lands on an unencrypted or unauthorised USB device, the question is not only who touched the file, but who failed to enforce the control path that should have blocked the transfer. Under CMMC-style evidence expectations, accountability sits with the organisation that owns the environment, because auditors look for proof of prevention, not post-incident intent. That means endpoint protection, access governance, removable media policy, and logging all have to line up.
This is especially important because removable media incidents often expose a gap between policy and enforcement. Security teams may believe USB restrictions exist, yet the device still accepts write access, local admin rights can override policy, or an exception was approved outside the formal workflow. NHI Mgmt Group’s Ultimate Guide to NHIs shows how broadly identity failures become when controls are weak, and the same pattern applies to data transfer paths. In practice, many security teams encounter accountability only after the transfer has already happened, rather than through intentional control validation.
How It Works in Practice
Operationally, responsibility is distributed across the control owners, but final accountability remains with the organisation. The endpoint team must enforce device control, encryption requirements, and block rules. IAM or PAM teams must ensure only authorised users can bypass restrictions. Compliance and security leadership must be able to prove the policy existed, was enforced, and was monitored. The evidence trail matters as much as the technical setting.
Current guidance suggests treating removable media as a high-risk exfiltration path and designing controls so that CUI cannot be copied to any USB device unless the device is managed, encrypted, and explicitly authorised. The NIST Cybersecurity Framework 2.0 is useful here because it aligns asset protection, access control, and monitoring into a single governance story. For organisations managing sensitive identities and secrets, NHI Mgmt Group’s Ultimate Guide to NHIs highlights how often weak visibility and rotation practices undermine control integrity.
- Use device control to block unknown or removable storage by default.
- Require encryption on any approved USB device before it can mount or write.
- Log the user, host, file classification, and transfer event for every exception.
- Separate policy approval from technical enforcement so one team cannot self-authorise.
- Test that controls still work when users have elevated privileges or offline access.
These controls tend to break down when endpoints are unmanaged, local administrators can disable device control, or file classification is inconsistent because policy enforcement cannot reliably distinguish approved transfers from shadow IT copying.
Common Variations and Edge Cases
Tighter USB control often increases operational friction, so organisations have to balance data protection against user productivity and field-work constraints. That tradeoff becomes sharper for laptops used offline, engineers who need removable media for diagnostics, or third parties who expect temporary access. In those cases, best practice is evolving toward exception-based workflows, device encryption, and time-bound approval rather than blanket trust.
There is no universal standard for every edge case, but the accountability model remains stable: the organisation must prove why the transfer was allowed, by whom, and under what control conditions. If the device was unencrypted, the exception process should have prevented use. If the device was unauthorised, access governance should have blocked it. If logs are missing, the organisation still owns the gap. That is why audit readiness depends on a full evidence chain, not a single policy statement.
For teams already struggling with identity sprawl, the same control weakness that allows secrets to live outside managed systems often also allows data to move through unmanaged paths. The pattern is consistent across modern environments: control failure becomes visible only after exposure, not at the point of policy design.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
NIST CSF 2.0, NIST CSF 2.0 and NIST CSF 2.0 set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-4 | Access control must prevent unauthorised removable-media transfers. |
| NIST CSF 2.0 | PR.DS-2 | CUI protection depends on encryption when data is stored or transferred. |
| NIST CSF 2.0 | DE.CM-1 | Monitoring is needed to detect unauthorised media use and transfer events. |
Log and review removable-media activity to prove enforcement and support incident response.
Related resources from NHI Mgmt Group
- Who is accountable when a device still has access after administrators believe it has been revoked?
- Who should be accountable when an agent makes a high-risk decision?
- Who is accountable when a production model drifts below approved thresholds?
- Who is accountable when forged DNS responses redirect users to malicious sites?
Deepen Your Knowledge
Reviewed and updated by the NHIMG editorial team on June 23, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
