Walk through almost any machine shop and open the top drawer next to the Fanuc controller.
You’ll probably find one. Sometimes three. Unlabeled USB drives, worn edges, brand unknown. Nobody remembers who bought them. Nobody is completely sure what’s on them. They get handed to one operator, then the next, then plugged into a machine to run the job.
That’s your audit problem. It’s been sitting there for years.
Why CMMC Assessors Care About USB Drives
CMMC is not IT security for its own sake. It is about protecting Controlled Unclassified Information — the technical data inside your drawings, CAM programs, setup instructions, and G-code workflows.
Once that data starts moving around on USB drives, a few problems appear immediately:
You can’t prove who handled it. The drive itself does not provide a reliable audit trail, and most legacy controller workflows do not create the kind of attributable logging an assessor wants to see.
You can’t prove exactly what was on it at a given moment. Was that the approved revision of the program? Was it changed after it left engineering? Without a controlled transfer process, there is no trustworthy chain of custody.
You can’t prove how it moved. From CAM workstation to shop floor, who carried it, where it went, and what else it was plugged into are often unknown.
CMMC Level 2 expects organizations to control and protect removable media as part of a broader set of safeguards around CUI. An assessor is going to ask how USB-based transfers are managed, restricted, and documented.
“We tell people to be careful” is not a control.
What the Assessor Actually Checks
When a C3PAO walks into your shop for a CMMC Level 2 assessment, they are not evaluating products in isolation. They are mapping how CUI actually moves through your environment.
In a CNC workflow, that usually comes down to a few basic questions:
- What systems process, store, or transmit CUI?
- How is access to those systems controlled?
- What logging exists to show who did what, when, and where?
- What is your removable media policy, and how is it enforced?
If your CNC controllers are connected to your IT network — or regularly receive files via USB from systems that are — then those machines are part of the CUI data flow.
At that point, they are no longer “just machines.” They are assets that must be accounted for within your compliance boundary, with controls that can be demonstrated — not assumed.
For a shop with 12 machines, that is 12 separate CUI touchpoints:
- 12 systems to account for
- 12 access points to control
- 12 environments to explain during assessment
Encrypted USB drives do not reduce that surface.
They may protect data if a drive is lost or stolen, but they do not change how CUI moves, how systems are categorized, or what must be demonstrated to an assessor.
The Encrypted USB Drive Problem
A lot of shops hear “USB drives are a risk” and respond by buying encrypted thumb drives — IronKey, Kingston Vault, or whatever their IT vendor recommends.
That addresses one problem, but not the one that matters most.
Encryption protects data if the drive is lost or stolen. That is real. But it is only one narrow risk scenario. It does not address the controls CMMC actually cares about when evaluating how CUI is handled in day-to-day operations.
Encrypted drives still leave the same core questions unanswered:
- Auditability — There is still no reliable record of who accessed the data, when it was used, or on which machine.
- Traceability — You still cannot tie the movement of CUI to an authenticated user and a controlled transfer process.
- Integrity assurance — Encryption does not verify that the G-code file is the correct revision or that it remained unchanged throughout the workflow.
- Media control — The data is still moving through removable media with limited centralized oversight.
So yes, you may have improved confidentiality in a loss scenario.
But you have not improved your ability to demonstrate control over CUI.
Encrypted USB drives are a point solution applied to a workflow problem.
You’re still doing sneakernet — you’ve just made it harder to lose, not easier to control.
Eliminate USB From the Workflow
The real issue is not the thumb drive itself.
The real issue is the transfer model.
SMC replaces USB-based file transfer with a controlled workflow. Instead of moving G-code by removable media, files are sent from the CAM workstation to SMC over an encrypted, authenticated connection. From there, SMC delivers the file to the CNC environment without requiring machines to connect directly to the IT network or rely on USB drives.
Every transfer is logged — including file hash, timestamp, operator identity, and destination machine — creating a verifiable record of how data moves through the shop.
So when an assessor asks how CUI reaches the machine, the answer is clear:
It does not move by USB. It moves through a controlled, auditable transfer process.
That is not a workaround. It is a better architecture.
The Drawer Test
Next time you walk the floor, open that top drawer.
If there is a USB drive in it, ask yourself what happens when an assessor asks you to account for the files that moved through it, the machines it was plugged into, and the people who handled it.
If you cannot answer those questions clearly — and most shops cannot — that drawer is not just clutter.
It is compliance risk.
The fix is not a better thumb drive.
It is a workflow that does not need one.
If you want to see how SMC changes the transfer model in a shop like yours, see how it works at /smc/ or download the Scope Reduction Guide at /cnc-scope-reduction/.