My recommendation is to use Bitlocker with the FIPS mode set ON to encrypt those compactflash cards, unless the cards will be used in a device (say, a camera) that cannot handle the decryption.

If you've got a situation like a camera which cannot handle an encrypted drive, you have at least these options:

1. Use a camera that can connect directly to a computer, and capture the image directly to the computer's encrypted drive. Lots of pro-level cameras will do this, and you could use a webcam as an alternative.
2. Use a camera that can accommodate a USB drive (like https://www.youtube.com/watch?v=v7sRgw0-ofY) instead of a CompactFlash drive, and use a USB FIPS 140-2 compliant hardware storage device (like the Apricorn ones) to store the data.

Removable media can be scanned. Typically, files on removable media are scanned upon opening, as the assumption is that the media is slow and scanning the entire drive would be disruptive.

There are bitlocker controls you can enforce through group policy re bitlocker. I think it comes down to imagining what you are trying to protect from ...

https://docs.microsoft.com/en-us/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings

My best recommendation would be to go with an enterprise-managed removable drive encryption through a solution like IronKey enterprise. The drives cannot be used unless they are encrypted, and you have full control over how they are used / where they are used / passcode strength / MFA / etc. This is a great way to ensure you're meeting all your compliance requirements.