Government Cybersecurity and Removable Media Controls
Government and defence networks are among the most targeted in the world. State-sponsored threat actors, intelligence services, and financially motivated cybercrime groups all actively probe public sector systems for weaknesses.
Firewalls, network monitoring, and access controls have become increasingly robust. But one attack vector remains stubbornly difficult to close through software alone: removable media.
USB drives, portable hard disks, and other removable devices create a physical bridge into networks that no perimeter tool can block. In environments where classified information is processed, operational continuity is critical, and contractors regularly need access, removable media requires a deliberate, hardware-enforced response.
Why removable media is a particular challenge for government networks
Government networks operate under constraints that make the removable media problem harder to manage than in a standard enterprise environment.
Air-gapped systems still need data to move
Many government and defence systems are intentionally isolated from the internet. That isolation is a core security control. But isolated systems still need updates, maintenance data, engineering files, and operational reports.
Removable media is frequently the only practical transfer method. That makes every USB device entering the environment a potential attack vector. For a detailed look at how organisations manage security in these settings, our guide to air-gapped network security and risks covers the wider picture.
Contractors and third parties bring devices in regularly
Government facilities receive a constant flow of contractors, system integrators, maintenance engineers, and visiting staff. Each may arrive with devices that have been used across multiple other sites and organisations.
Without a controlled process for checking those devices, every contractor visit is a potential infection event.
Legacy systems cannot run modern security software
Parts of government and defence infrastructure run on legacy operating systems and specialist platforms that cannot support modern endpoint security software. Patching is often restricted or delayed due to operational requirements.
Software-based antivirus is frequently not an option on the systems that matter most.
What UK government and defence organisations are required to implement
Several frameworks and standards set specific expectations around removable media in government and defence contexts.
NCSC guidance on removable media
The National Cyber Security Centre (NCSC) publishes detailed guidance on removable media controls as part of its security architecture advice. The guidance recommends that organisations implement controls to prevent the introduction of malicious content via removable devices, including scanning media before use on protected systems.
Cyber Essentials and Cyber Essentials Plus
Cyber Essentials is the UK government-backed certification scheme that sets a baseline for cybersecurity controls. Since 2014, Cyber Essentials certification has been mandatory for organisations bidding for government contracts involving the handling of personal data or sensitive information.
Cyber Essentials Plus, the independently verified higher tier, requires technical verification of controls including removable media handling. Organisations supplying into government supply chains are increasingly expected to hold Cyber Essentials Plus rather than the self-assessed standard.
GovS007 and the Government Security Standard
GovS007, the UK Government Security Standard for asset management, sets requirements for how government departments manage and control assets including removable media. It establishes a framework for registering, tracking, and controlling the use of portable storage devices across government systems.
JSP 440 for defence environments
JSP 440 is the Ministry of Defence’s Defensive Security standard. It sets requirements for information security across MOD systems and the defence supply chain. For organisations working with classified MOD information, JSP 440 establishes specific controls around the introduction of removable media to protected networks, including requirements for scanning and authorisation before use.
| Framework | Who it applies to | Removable media requirement |
| Cyber Essentials | All government suppliers handling personal or sensitive data | Baseline controls on removable media use |
| Cyber Essentials Plus | Suppliers to higher-risk government contracts | Verified technical controls including removable media handling |
| GovS007 | UK central government departments | Asset management and control of removable media |
| JSP 440 | MOD and defence supply chain | Scanning and authorisation requirements for removable media on classified systems |
| NCSC Guidance | All public sector organisations | Technical recommendations for removable media scanning controls |
The contractor access problem
One of the most consistent challenges in government and defence environments is managing the removable media that contractors bring in.
A maintenance engineer servicing a secure facility may carry diagnostic software on a USB drive. A system integrator updating classified infrastructure arrives with devices used across multiple other sites. A visiting official carries files on portable storage for a briefing.
Each of these is a legitimate, operationally necessary activity. Each is also an uncontrolled entry point unless a formal scanning process is in place.
Software-based controls cannot reliably address this. A contractor’s device may carry threats that evade standard antivirus, firmware-level attacks that bypass file-based scanning entirely, or zero-day malware that no signature database yet recognises.
The only control that addresses all of these scenarios is one that scans the device in an isolated environment before it reaches any protected system, regardless of what the threat looks like.
Hardware-based scanning in government and defence environments
A hardware USB scanning station creates a mandatory checkpoint between external devices and protected networks. The device is scanned in a completely isolated environment. The protected system is never exposed during the process. Results are logged, creating an audit trail that supports compliance with Cyber Essentials Plus, GovS007, and JSP 440 requirements.
For classified network environments, this is the established model. In UK defence circles, dedicated scanning stations are commonly referred to as sheep dip stations, a term that reflects their role as a quarantine and clearance point for removable media before it enters a protected environment.
The process is straightforward enough for non-technical staff to operate reliably, which matters in environments where security controls need to function without specialist IT support on-site.
Tyrex K-REX stations are deployed across government and defence environments in the UK and Europe. They apply five antivirus engines and two anti-malware engines simultaneously in an isolated hardware environment, operate fully offline, and produce a scan log for audit and compliance purposes.
The K-REX Satellite installs in confined spaces including secure comms rooms and access control points. The K-REX Mobile supports contractor management workflows where scanning needs to be portable and deployable across multiple locations.
For an overview of how Tyrex supports government cybersecurity requirements, visit the dedicated page.
Building a removable media policy for government organisations
Technical controls are only effective if they sit within a defined policy framework. For government and defence organisations, a removable media policy should address the following areas.
| Policy area | What it should cover |
| Approved devices | A register of authorised removable media and the conditions under which they may be used |
| Scanning requirements | Mandatory scanning of all external devices before connection to any protected system |
| Contractor procedures | A defined process for managing devices brought in by third parties and visitors |
| Incident reporting | Clear steps for reporting suspected removable media security incidents |
| Audit and logging | Records of all scanning events, devices checked, and threats detected |
| Training and awareness | Staff understanding of removable media risks and their responsibilities |
For a broader introduction to removable media security and what an effective policy looks like across different environments, that post covers the fundamentals in detail.
The bottom line
Government and defence networks operate at a level of risk that demands rigorous control of every entry point. Removable media remains one of the most practically significant of those entry points and one of the hardest to address through software alone.
The combination of compliance requirements, contractor access, legacy infrastructure, and air-gapped networks makes hardware-based scanning the appropriate response in these environments. For organisations operating under JSP 440, Cyber Essentials Plus, or GovS007, it is increasingly a baseline expectation rather than an optional control.
Find out how Tyrex supports government and defence organisations with hardware-enforced USB security.
