Mapped to NIST 800-171 Requirement: 3.1.20
CMMC Assessment Objective: AC.L2-3.1.20[e]
What This Objective Means
This assessment objective focuses on how systems technically support the identification of portable storage device ownership—either by blocking unregistered devices, logging usage, or integrating with device control tools.
You must show that your system configurations:
• Support a method of device approval tied to an owner
• Track or verify ownership before use
• Align with your documented policies and procedures
Why It Matters
If system configurations allow devices to connect without verifying ownership:
• You can’t determine who is responsible for what data
• You may authorize devices without oversight
• Policy and procedure enforcement becomes manual and error-prone
Technology should support—not undermine—your security policies.
How to Implement It
• Use endpoint protection platforms or USB control software to:
◦ Whitelist devices based on user assignment, serial number, or other identifiers
◦ Associate approved devices with a user or department in logs or dashboards
◦ Block or quarantine devices that lack an ownership record
• Configure audit logs to capture:
◦ Device ID
◦ Connected user
◦ Timestamp and system name
• Maintain a central system that aligns device tracking with owner records
Evidence the Assessor Will Look For
• Screenshots or exports from device control tools showing:
◦ Assigned owners or asset tags for portable devices
◦ Approval workflows linked to device IDs
• Configuration settings that enforce device registration or user-level assignment
• Logs showing connection attempts by approved and unapproved devices
• Alignment between system behavior and documented policies/procedures (from AC.L2-3.1.20[d])
Common Gaps
• Devices approved manually but system does not track ownership
• Device control software logs serial numbers but not user info
• Device IDs are logged, but there’s no process to connect them to a responsible owner
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Limiting or blocking portable storage use unless devices are pre-approved and assigned
• Supporting integration with USB/device control tools that log and enforce ownership mapping
• Helping you document device policies that map directly to system-level behavior
• Offering advisory guidance on how to align system configuration with policy enforcement
With Cuick Trac, device use and ownership aren’t just tracked—they’re enforced and auditable.
Final CTA
System enforcement gives your portable storage policies real teeth.
Schedule a Cuick Trac demo and ensure your device control strategy includes ownership at every step.