We have restrictions on who can use USB through Intune and require them to request access and the company provide an encrypted drive. That is all for drives that we intend to store CUI.

What about users who need to use USB for data transfer to a non workstation from a CUI compliant workstation? None of the data on this drive would be CUI, but we also have no way I know of to restrict that from happening. It also can't be encrypted because the non workstation can't use BitLocker. So that would mean we have a company owned usb drive assigned to a single user that is not encrypted and does not store CUI, but does connect to a CUI machine.

Would it be compliant to just have them sign a normal USB device agreement and add that they agree not to store CUI in it? I couldn't imagine that we need to require encryption on that device, would we?