Equipment Sanitization: Ensure equipment removed for off-site maintenance is sanitized of any CUI.
Monarch ISC Guidance
There must be a practice of removing CUI data from equipment that may be shipped or taken off-site for maintenance or repairs. There must also be a policy requirement for sanitization.
It's important to remember that simply deleting data from a director/folder does not actually remove it from a storage device. What it removes is the pointer-record in the operating system, so that the specific sectors on that drive are ready to overwrite the deleted data. Sanitization requires a secure-wipe capability, which can be part of anti-malware software or software specifically designed to zero-out data to permanently remove it.
NIST SP 800-171 R2
This requirement addresses the information security aspects of system maintenance that are performed off-site and applies to all types of maintenance to any system component (including applications) conducted by a local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement).
NIST SP 800-88 provides guidance on media sanitization.