AC.L2-3.1.20[b] – Examine access control policies and procedures to determine if the use of portable storage devices with no identifiable owner is prohibited.

This objective ensures that your access control policies and procedures clearly prohibit the use of any portable storage device that lacks ownership or cannot be attributed to an approved user, particularly in systems handling Controlled Unclassified Information (CUI).