CMMC Practice MP.1.118: Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
CMMC CLARIFICATION (Ref CMMC – Appendix B)
In this case, “media” can mean something as simple as paper, or storage devices like diskettes, disks, tapes, microfiche, thumb drives, CDs and DVDs, and even mobile phones. It is important to see what information is on these types of media. If there is Federal contract information (FCI)—information you or your company got doing work for the Federal government that is not shared publicly)—you or someone in your company should do one of two things before throwing the media away:
- clean or purge the information, if you want to reuse the device; or
- shred or destroy the device so it cannot be read.
See NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization for more information.