I have a generic CMMC question that has to do with user compliance. In terms of users following the rules of CMMC would it be more incumbent on the policy in place by the company for the users to follow the rules or is it required to have the controls put in place that prevent users from doing actions that would put the company out of CMMC compliance.

For example, if the policy is to not use USB thumb drives for storage. You have a company policy in place to not use thumb drives but know that users are doing this. Would CMMC require that you put something in place such as Intune to lock down the laptops so they do not recognize the USB thumb drives?

I guess my overall question is: Can you be CMMC L1 if you have all the controls in place or do you also need to have your users in compliance? I know its a dumb question but was wanting to see if I could see if anyone else is having issues getting the users on board with compliance and how do you make sure they do that.