What is the Cuick Trac Managed Enclave?

The Cuick Trac Managed Enclave (CTME), at its core, is a Cloud Service Offering (CSO) that achieved FedRAMP Moderate Equivalency from a FedRAMP-recognized 3PAO. The Cuick Trac Managed Enclave is pre-configured and fully managed, and satisfies the technical requirements of NIST SP 800-171 Rev 2. Because Cuick Trac is a virtual enclave with defined technical boundaries, it allows for control of CUI data flows, as CUI never touches the OSC's (organization seeking certification) network or device. Cuick Trac's technology and compliance advisory support guides you towards compliance with DFARS 252.205-7012, NIST 800-171, and the CMMC 2.0 requirements. Cuick Trac was purpose built for businesses who lack the bandwidth and resources to implement and manage the required technical and security controls, required by the Federal Government for protecting CUI. The Defense Industrial Base (DIB) needs solutions that are affordable, practical and secure by default, that can also be implemented in a shorter amount of time.

How does the Cuick Trac Managed Enclave help me?

The purpose of Cuick Trac is to help businesses who currently work with, or want to do work with, the Department of Defense (DoD) and federal government to protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), per the requirements in their contracts. Cuick Trac takes responsibility for 78% of the assessment objectives within NIST 800-171A/CMMC Level 2 assessment guides, and our team of compliance advisors guide our customers through the remaining 22%. This significantly decreases your Plan of Action and Milestones (POA&M) and internal responsibility burden for our customers.

Does Cuick Trac replace my MSP provider or internal IT team?

No. With CTME, our goal is to always work with as much of your current business processes that are already in place, including your current MSP or internal IT team. Disruption to your business is detrimental, thus a collaborative approach will be key in regard to how CUI data is collected, stored and accessed. As a FedRAMP Moderate Equivalent Cloud Service Offering (CSO) from a Cloud Service Provider (CSP), your MSP or internal IT team can leverage the CTME for your CUI program, lower the burden internally.

Is Cuick Trac another tool or software application?

No, Cuick Trac is not a software. Cuick Trac is a Cloud Service Offering (CSO) that is a fully managed virtual enclave/controlled environment on U.S. soil, managed only by U.S. persons. CTME has everything you need from a technology standpoint, to meet the requirements such as a SIEM, encryption at rest, encryption in transit (email and file transfer), patch management, secure back-ups, MFA and more. Unlike a single application or tool that does one or two of those requirements, Cuick Trac meets ALL technical controls for NIST 800-171 and CMMC Level 2.

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) refers to unclassified information that is to be protected from public disclosure. The CUI designation replaces 'sensitive but unclassified' and other similar control markings. To learn more, download our ebook or see examples of CUI.

What is DFARS, NIST 800-171 and CMMC?

The DFARS 252.204-7012 clause says that if you handle Controlled Unclassified Information, you should have implemented NIST SP 800-171 no later than Dec 31, 2017. Since this deadline has passed and many defense organizations don't meet this current requirement, the DoD developed CMMC. Organizations within the DoD supply chain need a risk-based approach to become compliant, and more importantly, secure their environments where CUI is processed, stored and transmitted. NIST SP 800-171 is the National Institute of Standards & Technology (NIST) special publication providing 110 recommended security controls for protecting the confidentiality of CUI (Controlled Unclassified Information – a subset of CDI). The Cybersecurity Maturity Model Certification (CMMC) is the standard the Department of Defense (DoD) is using to verify the members of the Defense Industrial Base (DIB) fully meet their cybersecurity requirements, prior to contract awards.

What is an SPRS score, and how do I get one?

In September, 2020, the DoD released a new interim rule, approved by the Office of Management and Budget (OMB), that requires all contractors subject to DFARS 252.204-7012 within the DoD supply chain, to have an accurate assessment on record, prior to award. The interim rule becomes a bridge between the self-assessment process of DFARS 252.204-7012/NIST 800-171 and the CMMC certification process. The Supplier Performance Risk System (SPRS) is the official DoD system for recording these assessments. Your SPRS score is a numerical representation of your compliance status with NIST 800-171. The maximum score is 110, and a lower score indicates more controls are not yet implemented. You get one by completing a self-assessment and submitting it to the SPRS website.

Do I need a System Security Plan (SSP) and Plan of Actions and Milestones (POA&M) Before Utilizing Cuick Trac?

No. While you will need an SSP and POA&M for your CMMC Level 2 assessment, you do not need to have them completed before utilizing Cuick Trac. In fact, many of our customers utilize our compliance advisory services to help them complete their SSP and POA&M after they have deployed the Cuick Trac Managed Enclave. The CTME provides the technical controls and documentation that form the foundation of your SSP and significantly reduces the items on your POA&M.

What happens if I'm not compliant with DFARS/NIST 800-171?

If you are not compliant with DFARS 252.204-7012, you are in breach of contract with the DoD. This can lead to a variety of negative consequences, including the inability to bid on new contracts, loss of current contracts, and potential legal action. The CMMC framework is designed to ensure that all DIB companies are compliant, and non-compliance will eventually result in the inability to work with the DoD.

Who mandates these requirements?

The requirements are mandated by the Department of Defense (DoD) through the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, which references NIST SP 800-171. The Cybersecurity Maturity Model Certification (CMMC) is the DoD's verification mechanism for ensuring compliance with these requirements.

We don't have a SIEM or any way to monitor events/incidents/breaches, does Cuick Trac do that?

Yes. Cuick Trac is a comprehensive solution that includes a Security Information and Event Management (SIEM) system as part of the managed enclave. The CTME includes everything you need from a technology standpoint to meet the requirements, including monitoring for events, incidents, and breaches, which is a critical control for NIST 800-171 and CMMC Level 2.

AC.L2-3.1.20[a]: Detect and Identify Ownerless Portable Storage Devices

June 2, 2025

Detecting and Identifying Ownerless Portable Storage Devices

AC.L2-3.1.20[a] requires organizations to maintain visibility and accountability for portable storage devices that connect to in-scope systems. The assessment objective is straightforward: you must be able to detect removable storage when it is connected, determine who owns or is responsible for the device, and identify any device connected without authorization or known ownership. This applies to organizational devices and personal devices if they are allowed to connect to your environment. The intent is to prevent uncontrolled media from becoming an unmonitored pathway to introduce malware or remove Controlled Unclassified Information (CUI) without detection.

From an assessment perspective, this objective is validated through observable controls and artifacts. A written statement that “unknown USB drives are not allowed” is not sufficient on its own. You must be able to demonstrate how the environment detects portable media events, how ownership is established, and what happens when a device cannot be attributed to an authorized user or department.

Why Ownerless Portable Media Creates Risk in CUI Environments

Portable storage devices (such as USB drives, external SSDs, and memory cards) create risk because they can operate outside normal security controls if they are not managed. An ownerless or unrecognized device can be used to exfiltrate CUI, may contain malware or spyware, and can bypass administrative safeguards when endpoints automatically mount and trust removable media. If you cannot confidently identify the device owner, you cannot validate whether it was approved, whether it is handled according to policy, or whether it is being used for legitimate business purposes.

This objective supports consistent implementation across systems that handle CUI by ensuring that portable storage is either controlled through technical enforcement or reliably detected and investigated. For broader context on CUI compliance requirements, this objective should align with how your organization authorizes devices, manages audit records, and enforces restrictions on removable media in the CUI boundary.

What Assessors Look For During Validation

Assessors typically evaluate this objective by confirming that the organization can answer three questions with evidence: (1) Can you detect when portable storage connects to an endpoint or system? (2) Can you identify who owns or is responsible for the device? (3) Can you identify and respond to any device that is not authorized or has unknown ownership? A control implementation should produce objective artifacts such as connection logs, device identifiers (for example, serial numbers), and records showing how each approved device is assigned.

Assessors may also check whether the process is repeatable and applies consistently. If portable storage is blocked entirely in high-sensitivity zones, they may validate the enforcement configuration and confirm that the control is not limited to one endpoint group. If portable storage is permitted, they may validate that devices are registered, labeled, and traceable to an owner, and that connection events are logged in a way that supports investigation and accountability.

Implementation Options That Meet the Objective

Use device control or endpoint tooling to detect removable media

Implement a technical control capable of detecting removable storage insertion events and capturing relevant details (device type, serial number when available, host name, user context, timestamp). Common approaches include endpoint detection and response (EDR) capabilities, endpoint management tools, or dedicated USB device control solutions. The key requirement is that the system can consistently record portable media connection events for in-scope systems.

Require registration and maintain an inventory tied to ownership

Maintain a portable media inventory that records ownership and authorization status for each approved device. The inventory should include at minimum the device type, a unique identifier (serial number or another stable ID), the assigned user or department, and the authorization status. If your organization uses labels, tagging, or asset management identifiers, ensure that those identifiers map clearly to inventory records. This inventory is central to proving that devices are not “ownerless” when they appear in logs.

Define a handling process for unknown or unrecognized devices

Document what personnel must do when an unrecognized device is found or detected. This should include steps for isolating the device, preventing use until validated, and reporting to the appropriate security or IT function. Where feasible, implement technical settings that block unknown devices by default and require explicit approval to allow use. This supports the assessor’s expectation that ownerless devices are not silently accepted in the environment.

Train users on the risks of connecting unknown media

Train staff on why unknown portable media is prohibited or restricted and what actions to take if a device is encountered. Training should address common scenarios such as found USB drives, third-party devices, and personal storage used for convenience. Training is not a replacement for technical enforcement, but it strengthens adherence and reduces accidental violations. For organizations aligning to NIST 800-171 compliance, training and procedures should be consistent with the documented access control and media handling requirements.

Evidence to Maintain for Assessment

Evidence should demonstrate both detection capability and ownership accountability. Maintain artifacts that show device events are logged, approved devices are traceable to an owner, and unknown devices are addressed through defined actions.

Portable media inventory showing device identifiers and assigned ownership
Logs showing detected removable storage connections (including user/device context where available)
Screenshots or exports from device control, endpoint management, or monitoring tools
Policy and procedure language describing authorization, registration, and handling of unrecognized devices
Training materials and completion records addressing unknown portable storage handling

Common Gaps That Create Findings

No process to track or review portable storage connection events
Devices are used without labeling, ownership assignment, or documented approval
Found or third-party USB devices are used without validation, scanning, or registration
Logging exists but does not capture device identifiers or cannot be correlated to an owner
Controls are applied inconsistently across endpoints or locations in scope

Implementation and Evidence Mapping Table

Control expectation	Implementation action	Primary artifact	Assessor-ready evidence
Detect portable storage connections	Enable endpoint or USB control detection for removable media events	Endpoint/USB control configuration	Log samples showing insertion events with host/user context
Identify device ownership	Maintain an inventory mapping devices to an assigned owner or department	Portable media inventory	Export showing serial/ID, owner, authorization status
Distinguish authorized vs. unauthorized devices	Require registration and define authorization status for each device	Registration/approval process record	Approval tickets or records tied to inventory entries
Handle unknown or ownerless devices	Define steps to isolate, report, and prevent use until validated	Procedure for unrecognized devices	Incident/ticket examples or documented response workflow
Reduce user-driven risk	Train personnel on found USB devices and prohibited behaviors	Training content	Training completion records and policy acknowledgment

FAQ

What does AC.L2-3.1.20[a] require?

It requires you to detect portable storage devices connected to your systems and identify whether each device has known ownership and authorization.

Why are ownerless portable storage devices a concern?

They can be used to introduce malware or remove CUI without accountability because the device is not tied to an approved owner or controlled process.

What evidence supports assessment of this objective?

Assessors commonly review portable media inventories with ownership assignments, logs of device connection events, and procedures for handling unrecognized devices.

Identity Access Management for Secure Compliance Solutions

March 24, 2026

AC.L2-3.1.22[c]: Verify System Use Messages Are Displayed Before Login

June 2, 2025

AC.L2-3.1.20[a]: Detect and Identify Ownerless Portable Storage Devices

Detecting and Identifying Ownerless Portable Storage Devices

Why Ownerless Portable Media Creates Risk in CUI Environments

What Assessors Look For During Validation

Implementation Options That Meet the Objective

Use device control or endpoint tooling to detect removable media

Require registration and maintain an inventory tied to ownership

Define a handling process for unknown or unrecognized devices

Train users on the risks of connecting unknown media

Evidence to Maintain for Assessment

Common Gaps That Create Findings

Implementation and Evidence Mapping Table

FAQ

What does AC.L2-3.1.20[a] require?

Why are ownerless portable storage devices a concern?

What evidence supports assessment of this objective?

Identity Access Management for Secure Compliance Solutions

AC.L2-3.1.22[c]: Verify System Use Messages Are Displayed Before Login

Get a 30-Minute Demo From a Cuick Trac Product Expert

Stay Updated. Stay Secure.

Quick Links

Guides

Resources

Socials

AC.L2-3.1.20[a]: Detect and Identify Ownerless Portable Storage Devices

Detecting and Identifying Ownerless Portable Storage Devices

Why Ownerless Portable Media Creates Risk in CUI Environments

What Assessors Look For During Validation

Implementation Options That Meet the Objective

Use device control or endpoint tooling to detect removable media

Require registration and maintain an inventory tied to ownership

Define a handling process for unknown or unrecognized devices

Train users on the risks of connecting unknown media

Evidence to Maintain for Assessment

Common Gaps That Create Findings

Implementation and Evidence Mapping Table

FAQ

What does AC.L2-3.1.20[a] require?

Why are ownerless portable storage devices a concern?

What evidence supports assessment of this objective?

Identity Access Management for Secure Compliance Solutions

AC.L2-3.1.22[c]: Verify System Use Messages Are Displayed Before Login

Stay Updated. Stay Secure.

🍪 We Use Cookies