Navigate

SC-41

SC-41: Port and I/O Device Access

[one of "physically"/"logically"] disable or remove [connection ports or input/output devices to be disabled or removed are defined;] on the following systems or system components: [systems or system components with connection ports or input/output devices to be disabled or removed are defined;].

Supplemental

Connection ports include Universal Serial Bus (USB), Thunderbolt, and Firewire (IEEE 1394). Input/output (I/O) devices include compact disc and digital versatile disc drives. Disabling or removing such connection ports and I/O devices helps prevent the exfiltration of information from systems and the introduction of malicious code from those ports or devices. Physically disabling or removing ports and/or devices is the stronger action.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	low

Overlays
Classified, DAF Baseline, Int-A, Int-B, Int-C

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SC-41.

Control	Description
AC-20	a: [one or more of "establish {{ insert: param, ac-20_odp.02 }} "/"identify {{ insert: param, ac-20_odp.03 }} "] , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to: 1: Access the system from external systems; and 2: Process, store, or transmit organization-controlled information using external systems; or b: Prohibit the use of [types of external systems prohibited from use are defined;].
MP-7	a: [one of "restrict"/"prohibit"] the use of [types of system media to be restricted or prohibited from use on systems or system components are defined;] on [systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;] using [controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;] ; and b: Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.

Control

Description

AC-20

a: [one or more of "establish {{ insert: param, ac-20_odp.02 }} "/"identify {{ insert: param, ac-20_odp.03 }} "] , consistent with the trust relationships established with other organizations owning, operating, and/or maintaining external systems, allowing authorized individuals to:
- 1: Access the system from external systems; and
- 2: Process, store, or transmit organization-controlled information using external systems; or

b: Prohibit the use of [types of external systems prohibited from use are defined;].

MP-7

a: [one of "restrict"/"prohibit"] the use of [types of system media to be restricted or prohibited from use on systems or system components are defined;] on [systems or system components on which the use of specific types of system media to be restricted or prohibited are defined;] using [controls to restrict or prohibit the use of specific types of system media on systems or system components are defined;] ; and

b: Prohibit the use of portable storage devices in organizational systems when such devices have no identifiable owner.

Enhancements

The controls below (if any) add on to the requirements of SC-41.

Control	Description
No controls

Related CCIs

The CCIs below are tied to SC-41.

CCI	Definition
CCI-002544	Defines the systems or system components on which organization-defined connection ports or input/output devices are to be physically or logically disabled or removed.
CCI-002545	Defines the connection ports or input/output devices that are to be physically or logically disabled or removed from organization-defined systems or system components.
CCI-002546	Physically or logically disable or remove organization-defined connection ports or input/output devices on organization-defined systems or system components.