AC-20(5): Portable Storage Devices — Prohibited Use

AC-20(5) requires you to stop authorized users from connecting organization-owned portable storage devices (for example, company USB drives) to external, non-organization systems (for example, home PCs, third-party kiosks, or partner laptops). To operationalize it, define what “organization-controlled” and “external system” mean in your environment, then enforce the prohibition with technical controls, exceptions, and audit-ready evidence.

Key takeaways:

• Prohibit org-owned portable storage devices on external systems, by policy and by enforcement ¹.
• Scope clarity matters: define “portable storage,” “organization-controlled,” and “external system” in writing.
• Auditors will look for proof of enforcement (endpoint/device control), not just a policy statement.

The ac-20(5): portable storage devices — prohibited use requirement is one of those controls that sounds simple and fails in the messy parts of operations: field work, travel, incident response, third-party support, and air-gapped transfers. The intent is to prevent data loss, malware introduction, and chain-of-custody failures that happen when trusted staff plug organization-owned removable media into systems you do not manage.

This requirement sits in the Access Control (AC) family and is typically assessed alongside removable media controls, endpoint security, and data protection practices. It is especially relevant for federal information systems and contractor environments handling federal data, where “external systems” include personal devices and third-party environments that your IT team cannot harden or monitor.

You can implement AC-20(5) quickly if you treat it as an enforceable rule with clear definitions, a named control owner, and repeatable evidence. The fastest path is: write the prohibition; technically block the behavior where feasible; create a narrowly-scoped exception path for truly necessary cases; and retain logs, configurations, and approval records that show the control operates continuously.

Regulatory text

Requirement (verbatim): “Prohibit the use of organization-controlled portable storage devices by authorized individuals on external systems.” ¹

What the operator must do:
You must prevent your workforce (including admins and other authorized users) from plugging in or otherwise using portable storage devices that your organization owns or controls on systems outside your control boundary. In practice, this means you establish a rule (“don’t connect company removable media to external machines”), implement technical enforcement where possible, and manage any necessary exceptions with explicit approval and compensating controls. ¹

Plain-English interpretation

AC-20(5) is a boundary-control rule for removable media:

• “Organization-controlled portable storage devices”: any removable storage you issue, manage, inventory, or configure. Examples: company USB flash drives, external SSDs/HDDs, SD cards issued for cameras, encrypted removable media, and portable media bundled with hardware kits.
• “Authorized individuals”: employees, contractors, and other users who have legitimate access to your environment. The control is aimed at trusted users because that’s where “convenient but risky” behavior often occurs.
• “External systems”: systems outside your security boundary and administrative control. Examples: a home desktop, a personal laptop, a partner’s workstation, a third party’s support computer, hotel business-center PCs, conference kiosks, and unmanaged lab equipment.

The operational point: if you can’t enforce your endpoint and security baseline on the machine, don’t allow company portable storage to touch it. ²

Who it applies to (entity and operational context)

AC-20(5) is commonly scoped to:

• Federal information systems implementing NIST SP 800-53 controls. ²
• Contractors handling federal data (for example, environments aligned to NIST SP 800-53 through contractual requirements). ²

Operational contexts where this control comes up in audits and real incidents:

• Remote work and BYOD drift (staff using home devices “just once” to print or transfer files).
• Third-party support sessions (a vendor or partner asks for files via USB).
• Field operations (technicians transferring logs/configs on-site).
• Build rooms and labs (equipment that can’t run your endpoint controls).
• Incident response (urgent transfers that bypass normal paths).

What you actually need to do (step-by-step)

1) Set crisp scope definitions (write them down)

Create control language that removes ambiguity:

• Define portable storage devices in scope (USB, external drives, SD cards, etc.).
• Define organization-controlled (owned, issued, inventoried, or centrally configured).
• Define external system (any system not managed by your org, not enrolled in endpoint management, or not in your authorized boundary).
• Define prohibited use (connecting, mounting, reading, writing, or imaging).

Deliverable: a short standard or policy section mapped to AC-20(5). ¹

2) Assign a control owner and an enforcement owner

Auditors will ask “who runs this?” Name:

• Control owner (typically Security/GRC or IT Security).
• Technical owner (Endpoint Engineering, IT Ops, or SOC) who can deploy device-control rules and collect evidence.

Practical note: if ownership is split, publish a RACI so exceptions and evidence don’t fall through the cracks.

3) Implement technical enforcement (primary line of defense)

Aim for “blocked by default” wherever you manage endpoints:

• Use endpoint management and device control to restrict removable storage use and to block mounting on unmanaged scenarios where feasible.
• Use DLP/device control policies to prevent read/write, or to allow only approved devices on approved endpoints.
• Configure logging for removable media insert events and file transfer events, routed to your SIEM or log platform.

What “good” looks like for exams: you can show the configuration baseline and a sample of logs demonstrating enforcement and detections.

4) Control the portable media lifecycle (so “organization-controlled” is real)

You cannot prohibit use of “organization-controlled” devices if you don’t control them.

• Maintain an inventory of issued portable storage devices (asset tag/serial where possible).
• Require assignment records (who has which device, for what purpose).
• Define approved media types (for example, only managed/encrypted devices).
• Define return, wipe, and destruction procedures.

5) Build an exception path (narrow, time-bound, compensating controls)

Some teams genuinely need to connect media to an external system (for example, vendor-provided industrial equipment). Handle this as an exception, not an informal workaround.

Exception criteria you can defend:

• Business need is documented.
• The external system is identified and risk-reviewed.
• Compensating controls are required (for example, malware scanning on a controlled kiosk on re-entry, dedicated transfer station, or one-way transfer process).
• Exception approvals are recorded and reviewed periodically.

Keep exceptions rare. If you find many, your “external system” definition or your technical pathways for secure transfer are likely broken.

6) Train the workforce at the moment of risk (not once a year)

Add targeted guidance for:

• Helpdesk and endpoint teams (they get the “can you copy this to a USB?” requests).
• Field staff and engineers.
• Third-party access coordinators.

Training content should answer:

• What to do instead (approved transfer methods).
• How to request an exception.
• What happens if you plug in anyway (blocking, alerting, or disciplinary reference).

7) Create an audit-ready evidence package (recurring, not ad hoc)

Treat “missing implementation evidence” as a primary risk to manage because it is explicitly called out as a risk factor for this control. ¹

If you use Daydream to manage control operations, map AC-20(5) to a control owner, implementation procedure, and recurring evidence artifacts so audits become a pull, not a scramble. ¹

Required evidence and artifacts to retain

Keep artifacts that prove design and operating effectiveness:

Policy and governance

• Removable media standard/policy section containing the AC-20(5) prohibition.
• System boundary statement that explains what counts as an external system.
• RACI/control ownership record.

Technical configuration

• Endpoint/device-control configuration exports or screenshots.
• MDM configuration profiles relevant to removable storage controls.
• SIEM/logging configuration showing collection of removable media events.

Operational evidence

• Sample logs of blocked/alerted removable media actions.
• Exception tickets/approvals with documented compensating controls.
• Portable device inventory and assignment records.
• Evidence of periodic review of exceptions and inventory accuracy.

Testing

• A lightweight test record: attempt to connect an approved org device to a managed endpoint and show the expected restriction behavior, plus log capture.

Common exam/audit questions and hangups

Expect these, and prepare a crisp answer plus evidence pointer:

1. “Define ‘external system’ for your environment.”
   Hangup: vague definitions that exclude home PCs or third-party laptops.

2. “How do you know staff aren’t doing this?”
   Hangup: policy-only implementations without device-control logs.

3. “Show me the exceptions and approvals.”
   Hangup: tribal knowledge exceptions with no ticket trail.

4. “Are portable storage devices actually organization-controlled?”
   Hangup: no inventory, no assignment record, no ability to identify “company USB” versus personal.

5. “How does this apply to admins and IT staff?”
   Hangup: privileged teams bypass controls “for troubleshooting.” Auditors often probe here first.

Frequent implementation mistakes and how to avoid them

Mistake	Why it fails	Better approach
Writing “no USB on external systems” but not defining “external”	Everyone interprets it differently	Enumerate examples and tie to boundary/MDM enrollment criteria
Relying only on annual training	Doesn’t stop real-time behavior	Combine blocking/alerting with just-in-time guidance and an exception path
Allowing broad exceptions (“any partner system”)	Converts prohibition into paperwork	Require named external system, purpose, duration, compensating controls
No inventory of issued media	“Organization-controlled” becomes unprovable	Track issuance and returns; restrict procurement to approved models
Blocking removable media everywhere without alternatives	Users route around controls	Provide approved transfer mechanisms (secure share, managed transfer station)

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this specific control enhancement, so you should treat enforcement expectations as assessment-driven rather than case-driven for this page.

Risk outcomes AC-20(5) is meant to reduce:

• Data exfiltration and leakage when portable media is used on untrusted systems.
• Malware introduction from external systems onto your network via removable media.
• Loss of evidentiary integrity for sensitive files moved through uncontrolled endpoints.
• Audit failures due to inability to prove the control operates, especially where “missing implementation evidence” is the known risk factor. ¹

A practical 30/60/90-day execution plan

First 30 days (stabilize and define)

• Publish definitions for portable storage, organization-controlled, and external systems in a single standard.
• Assign control owner and technical owner; document the escalation path for exceptions.
• Inventory existing issued portable storage devices and stop ad hoc procurement.
• Implement basic logging for removable media events on managed endpoints.

Days 31–60 (enforce and evidence)

• Roll out device-control policies to block or restrict portable media use in managed environments.
• Stand up an exception workflow with required fields (system, purpose, duration, compensating controls, approver).
• Create an “audit packet” folder with policy, configurations, and sample logs.

Days 61–90 (operationalize and test)

• Run an internal control test and document results plus remediation.
• Review exceptions for scope creep; tighten criteria where needed.
• Add targeted training for high-risk teams (IT, engineering, field ops, third-party coordinators).
• In Daydream, map AC-20(5) to the owner, procedure, and recurring evidence artifacts so the control stays assessment-ready. ¹

Frequently Asked Questions

Does AC-20(5) mean “ban all USB drives”?

No. It bans the use of organization-controlled portable storage devices on external systems. You can still allow portable media on managed, in-scope systems if your broader removable media controls permit it. ¹

What counts as an “external system” for a remote employee?

Any system outside your administrative control boundary. In many programs, that includes a home PC that is not enrolled in your endpoint management and does not meet your baseline.

If we encrypt company USB drives, can users plug them into partner laptops?

Encryption reduces data-at-rest risk but does not satisfy the prohibition by itself. AC-20(5) is a “prohibit use” requirement for external systems, so treat partner laptops as external unless you formally bring them under your management boundary. ¹

How do we handle industrial equipment or lab systems that need file transfer by USB?

Use a documented exception with compensating controls, such as a dedicated transfer station, malware scanning before re-entry, and strict tracking of which media touched which system. Keep the approval record and the operational logs.

Are personally owned USB drives in scope?

AC-20(5) is specifically about organization-controlled portable storage devices. You still should address personally owned removable media under your broader removable media policy, but keep the AC-20(5) evidence focused on org-controlled devices and external systems. ¹

What evidence is most persuasive to an assessor?

A clear prohibition statement, device-control configuration showing enforcement, and logs or alerts demonstrating the control operates. Pair that with a tight exception register and inventory records for issued media. ¹

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5