CMMC Practice MP.L1-3.8.3 – Media Disposal: Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
Links to Publicly Available Resources
BCWipe is a data sanitization toolset. This is Carnegie Mellon University Information Security Office’s list of data sanitization tools that are acceptable for data per ISO Guidelines. This document provides self-assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 1. Disk Wipe is Free, portable Windows application for permanent volume data destruction. This is an article from Fossbytes that provides a list of six best hard drive eraser tools. This is an article from Iron Mountain on data wiping and secure sanitization of virtual and physical IT assets. These are the guidelines by the IRS for media sanitization. This is a blog from lifewire that provides a review of the 40 best free programs for data destruction software programs. This is Michigan Technological University’s media destruction procedure to provide an example for media destruction. This is a blog by MiniTool that covers the various data sanitization methods and explains the difference between wipe, erase, format and delete per DOD 5220.22-M method. This article provides a list of 10 free hard drive wipe software for windows 10/8/7/Vista/XP. This NIST Special Publication provides guidance for completing the media sanitization process. NSA's Center for Storage Device Sanitization Research (CSDSR) guides the sanitization of information system (IS) storage devices. Resources for a vendor of storage device sanitization, the NSA Evaluated Products Lists (EPLs), and contact information for the Center for Storage Device Sanitization Research are provided on this page. This article breaks down CMMC Section 3.8, which focuses on the media protection for media that contains controlled unclassified information (CUI) This is a equipment disposal policy created by SANS that can be freely used. This is Stanford University’s policy for data sanitization. This GSA-IT Security MP Procedurals reference provides guidance for the MP security controls identified in NIST SP 800-53 and federal contractor media protection requirements. This is Western University’s recommended practices for destroying data and/or data devices.
Discussion [NIST SP 800-171 R2]
This requirement applies to all system media, digital and non-digital, subject to disposal or reuse. Examples include: digital media found in workstations, network components, scanners, copiers, printers, notebook computers, and mobile devices; and non-digital media such as paper and microfilm. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is released for reuse or disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction may be necessary when other methods cannot be applied to the media requiring sanitization.
Organizations use discretion on the employment of sanitization techniques and procedures for media containing information that is in the public domain or publicly releasable or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing FCI from documents, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing the words or sections from the document. NARA policy and guidance control sanitization processes for federal contract information. NIST SP 800-88 provides guidance on media sanitization.
Further Discussion
“Media” refers to a broad range of items that store information, including paper documents, disks, tapes, digital photography, USB drives, CDs, DVDs, and mobile phones. It is important to know what information is on media so that you can handle it properly. If there is FCI, you or someone in your company should either:
- shred or destroy the device before disposal so it cannot be read; or
- clean or purge the information, if you want to reuse the device.
See NIST Special Publication 800-88, Revision 1, Guidelines for Media Sanitization, for more information.