CMMC Practice MA.L2-3.7.3

Equipment Sanitization: Ensure equipment removed for off-site maintenance is sanitized of any CUI.

Monarch ISC Guidance

There must be a practice of removing CUI data from equipment that may be shipped or taken off-site for maintenance or repairs. There must also be a policy requirement for sanitization. It's important to remember that simply deleting data from a director/folder does not actually remove it from a storage device. What it removes is the pointer-record in the operating system, so that the specific sectors on that drive are ready to overwrite the deleted data. Sanitization requires a secure-wipe capability, which can be part of anti-malware software or software specifically designed to zero-out data to permanently remove it.

Discussion From Source

NIST SP 800-171 R2 This requirement addresses the information security aspects of system maintenance that are performed off-site and applies to all types of maintenance to any system component (including applications) conducted by a local or nonlocal entity (e.g., in-contract, warranty, in-house, software maintenance agreement). NIST SP 800-88 provides guidance on media sanitization.

References