CMMC Practice MP.L1-3.8.3

Media Disposal: Sanitize or destroy information system media containing FCI/CUI before disposal or release for reuse.

Monarch ISC Guidance

Some guidance: 1) Have shredders handy in all areas, or locked shred bins if you utilize an external company for shredding. The bins should be used for all paper. These bins usually support shredding of CD/DVD's and microfilm. 2) If you intend to re-use the media, first check the SP 800-88 guidance to decide if you should clear, purge or destroy the media. 3) Based upon the decision to clear, purge, or destroy the media, the guidance offers some helpful tables of reliable means to either clear, purge or destroy a variety of media, mobile phones, and other portable storage devices. 4) If the device was already encrypted, the job is a little easier as simply removing encryption and re-encrypting the media will render it sanitized. 5) If you destroy hard drives, or use an external vendor, retain a record of serial numbers. The vendors should provide this along with a certificate of destruction which must be saved. Finally, validate your vendors are bonded (insured) for this work.

Discussion From Source

NIST SP 800-171 R2 This requirement applies to all system media, digital and non-digital, subject to disposal or reuse. Examples include: digital media found in workstations, network components, scanners, copiers, printers, notebook computers, and mobile devices; and non-digital media such as paper and microfilm. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is released for reuse or disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction may be necessary when other methods cannot be applied to the media requiring sanitization. Organizations use discretion on the employment of sanitization techniques and procedures for media containing information that is in the public domain or publicly releasable or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing CUI from documents, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing the words or sections from the document. NARA policy and guidance control sanitization processes. NIST SP 800-88 provides guidance on media sanitization.

References