NIST 800-171 control mapping

For organisations preparing for CMMC or already operating under NIST 800-171, PermitUSB addresses a specific set of controls in the Media Protection, Configuration Management, and System and Information Integrity families.

This mapping is informational, not a CMMC certification statement. Use the auditor-ready language at the end of each section as a starting point for your SSP / POA&M.

3.1.21 — Limit use of portable storage devices on external systems

PermitUSB enforces this directly. Block-by-default whitelisting on USBSTOR class plus per-device serial allow-listing is exactly the control's intent: portable storage is used only on systems where the organisation has approved the device.

Auditor language: "USB mass storage is enforced via PermitUSB endpoint policy. Default disposition is block; only specific devices on the approved-serials allow list are permitted. Deviations are logged with severity warn and surfaced via the tamper event channel."

3.4.6 — Configure systems to provide only essential capabilities

The Kiosk template + class-based blocking enforces "only essential capabilities" at the USB layer. Endpoint groups let you express different "essential" sets per role.

Auditor language: "USB device classes are enabled by deliberate allow rule per endpoint group. The Kiosk endpoint group configuration permits HID class only; all other classes are denied by default. Engineering and Office groups have additional explicit allow rules per group's job function."

3.4.7 — Restrict, disable, or prevent the use of nonessential programs / functions

USB connectivity is one such function. The same enforcement covers this control.

3.8.7 — Control use of removable media

Direct mapping. Removable media is controlled via the policy engine; usage events are logged with full device fingerprints (VID, PID, serial, class).

3.8.8 — Prohibit use of portable storage devices when such devices have no identifiable owner

Per-device serial-based allow-listing identifies the owner. The dashboard surfaces a warning when a device reports a non-unique serial (a common cheap-thumb-drive pattern) so admins can recognise un-ownable devices.

3.13.13 — Control / monitor use of mobile code

Indirect: by controlling which USB mass storage devices can attach, PermitUSB constrains a common mobile-code delivery vector. Pair with endpoint AV / EDR for the executable-side of this control.

3.13.14 — Control / monitor use of Voice over Internet Protocol

Not addressed by PermitUSB.

3.14.1 — Identify, report, and correct system flaws in a timely manner

Tamper events and audit log give you the "report" half. The watchdog provides the "correct" half for in-band tampering. Patch / vulnerability management is your responsibility.

What's not covered

PermitUSB is a USB device control product. It does not address: file-content DLP, BitLocker enforcement, network device control, Bluetooth, AC&V controls, IR plans, or most of the access-control / awareness-training families. Pair it with the rest of your compliance stack.