CMMC Practice MA.L2-3.7.3 – Equipment Sanitization: Ensure equipment removed for off-site maintenance is sanitized of any CUI.
Links to Publicly Available Resources
BCWipe is a data sanitization toolset. This article provides insight into the U.S. Department of Defense (DoD) 5220.22-M standard for drive erasure. It also deep dives into the steps involved in the US DoD data wipe standard for sanitizing media, memory, and drives in equipment. This is Carnegie Mellon University Information Security Office’s list of data sanitization tools that are acceptable for data per ISO Guidelines. This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. Information about U.S. Department of Defense Media Sanitization Guidelines Disk Wipe is Free, portable Windows application for permanent volume data destruction. This is an article from Fossbytes that provides a list of six best hard drive eraser tools. Georgia Institute of Technology DFARS/NIST 800-171 Compliance Program This is an article from Iron Mountain on data wiping and secure sanitization of virtual and physical IT assets. These are the guidelines by the IRS for media sanitization. This is a blog from lifewire that provides a review of the 40 best free programs for data destruction software programs. LSU IT Security & Policy Office - Data Sanitization This is Michigan Technological University’s media destruction procedure to provide an example for media destruction. This is a blog by MiniTool that covers the various data sanitization methods and explains the difference between wipe, erase, format and delete per DOD 5220.22-M method. This article provides a list of 10 free hard drive wipe software for windows 10/8/7/Vista/XP. NIST resources that defines requirement for controlled maintenance. NIST resource that defines requirements for system backup activities. This NIST Special Publication provides guidance for completing the media sanitization process. NSA's Center for Storage Device Sanitization Research (CSDSR) guides the sanitization of information system (IS) storage devices. Resources for a vendor of storage device sanitization, the NSA Evaluated Products Lists (EPLs), and contact information for the Center for Storage Device Sanitization Research are provided on this page. This is a equipment disposal policy created by SANS that can be freely used. This is Stanford University’s policy for data sanitization. This is Western University’s recommended practices for destroying data and/or data devices.
Discussion [NIST SP 800-171 R2]
This requirement addresses the information security aspects of system maintenance that are performed off-site and applies to all types of maintenance to any system component (including applications) conducted by a local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement).
NIST SP 800-88 provides guidance on media sanitization.
Further Discussion
Sanitization is a process that makes access to data infeasible on media such as a hard drive. The process may overwrite the entire media with a fixed pattern such as binary zeros. In addition to clearing the data an organization could purge (e.g., degaussing, secure erasing, or disassembling) the data, or even destroy the media (e.g., incinerating, shredding, or pulverizing). Performing one of these activities ensures that the data is extremely hard to
recover, thus ensuring its confidentiality.
For additional guidance on which specific sanitization actions should be taken on any specific type of media, review the description of the Purge actions given in NIST SP 800-88 Revision 1 – Guidelines for Media Sanitization.