Implementing 3.8.3 from NIST SP 800-171 Rev 2

Organizations will often transfer many types of media outside of their control. This activity may include maintenance, system upgrades or during a configuration update. Media may flow out to vendors for equipment repairs or in paper form through recycle bins. Adversaries may try to retrieve data from media after it leaves the organization. Media protection limits access to system media in both paper and digital forms.

This blog will discuss the following topics around 3.8.3:

• A Brief History
• Practice Statement
• Assessment Objectives
• NIST SP 800-53 Mapping
• Analysis of Discussion
• DoD Criticality
• Scope of Applicability
• Inheritance
• Implementation
• Continuous Monitoring Tasks
• Policy Statements
• Proposed Rev 3 Changes‍

NIST introduced special publication (SP) 800-171 in 2015. NIST kept the practice number of 3.8.3 through the first and second revisions. NIST SP 800-171 Revision 3 has changed this requirement's number to 03.08.03.

The cybersecurity maturity model certification (CMMC) rule will verify SP 800-171 Rev 2. CMMC 1.02 numbered this practice MP.1.118 then AC.L1-3.8.3 under CMMC 2.0. This practice applies to organizations seeking compliance within any level of CMMC.

As of December 2023, CMMC 2.1 created two numbers for this practice:

• CMMC Level 1 uses the label MP.L1-B.1.VII. Section b(vii) references the Federal Acquisition Regulation (FAR) clause 52.204-21.

• CMMC Level 2 uses the label MP.L2-3.8.3. MP identifies the media protection domain. L2 identifies the applicability to CMMC Level 2. 3.8.3 references the original number from NIST SP 800-171 Rev 2.

NIST derived SP 800-171 basic security requirements from FIPS 200. Below is the original language from FIPS 200:

 NIST abbreviated the language for 3.8.3 in SP 800-171 to:

NIST provides assessment procedures for each practice within SP 800-171A. Procedures apply assessment methods to assessment objects. These three methods include examining artifacts, interviewing personnel, and testing mechanisms. The assessor evaluates each part to determine a finding. Satisfied findings are acceptable implementations. Other than satisfied findings identify one or more anomalies.

The assessment objectives for 3.8.3 contains two parts:

‍

Appendix D within SP 800-171 maps requirements to SP 800-53 Rev 4 controls. This mapping relates 3.8.3 to MP-2, MP-4, and MP-6. The mapping also suggests the same relationship exists for 3.8.1 and 3.8.2. Since NIST derived this practice from FIPS 200, mapping it to SP 800-53 is more challenging.

We mapped these two objectives to the closest SP 800-53A Rev 5 objectives. NIST IR 8477 guidance helped define the nature and strength of the relationships. The findings indicated that:

• MP.L1-3.8.3(a) intersects with MP-06a.[01] (strong relationship)
• MP.L1-3.8.3(b) intersects with MP-06a.[03] (strong relationship)

We noticed this mapping references four organization defined parameters. The tailoring of the practice excludes some parts of the SP 800-53 control. Reading the entire control helps provide more context:

The first three organization-defined parameters (ODPs) define system media requiring sanitization before:

• [01] disposal
• [02] release from organizational control
• [03] release for reuse 

The next three ODPs define sanitization techniques and procedures associated with:

• [04] disposal
• [05] release from organizational control
• [06] release for reuse.

The FedRAMP Moderate baseline identifies appropriate sanitization techniques:

The CMMC Assessment Guide includes supplemental guidance from SP 800-53 Rev 4 [MP-6].

Media Sanitization

The CMMC guide removed supplemental guidance that limited applicability to media considered removable. They emphasized workstations and network components by listing them first.  The CMMC guide provided examples of non-digital media including paper and microfilm. The fourth sentence removed references to reused media. This was rewritten to include media released for reuse. The last sentence replaced NSA standards and policies with NARA policy and guidance. The CMMC guidance added a reference to NIST SP 800-88 for guidance on media sanitization.

‍

The CMMC Assessment Guide provides a practical guide in the further discussion. This section simplifies the concept by including actionable steps:

“Media” refers to a broad range of  items that store information. This includes disks, tapes, digital photography, USB drives, CDs, DVDs, and mobile phones. It also includes paper documents. It is important to know what information is on the media so that you can safeguard it. If there is FCI, you or someone in your company should either:

• shred or destroy the device before disposal; or
• clean or purge the information, if you want to reuse the device.

See NIST Special Publication 800-88, Revision 1, Guidelines for Media Sanitization, for more information.

The CMMC Assessment Guide also provides an example:

‍As you pack for an office move, you find some old CDs in a file cabinet. You determine that one has information about an old project your company did for the DoD. You shred the CD rather than throwing it in the trash [a].

The NIST SP 800-171 DoD Assessment Methodology Version 1.2.1 assigned a 5-point value to this practice. Failing this practice may lead to data exfiltration. CMMC section 170.21(ii) removed this practice's eligibility for a limited deficiency. This practice aligns to the basic cybersecurity safeguards requirements of 52.204-21.

‍NIST SP 800-53 Rev 5 appendix C discusses three implementation approaches:

• (S) implemented by an information system through technical means
• (O) implemented by an individual through nontechnical means
• (O/S) implemented by an organization, system, or combination of the two

NIST defines the implementation of the corresponding SP 800-53 controls as:

• MP-6 as (O) implemented by an individual through nontechnical means

The crosswalk suggests that 3.8.3 is an administrative control. 

It is unlikely an organization could inherit this practice. You may share responsibility of this practice with an external service provider. Some providers may offer secure document or device sanitization services. Organizations must document their policies and procedures related to media sanitization.

Categorize confidentiality

Categorize information systems based on confidentiality, integrity, availability and privacy requirements. 

Determine the types of media used and the media disposition

Data flow documents help identify the types of media used or planned for use within a system. Categorize electronic media commensurate with the system’s confidentiality. Ask vendors for a “statement of volatility” for components handling sensitive data. Incorporate the ease or difficulty of media sanitization into component procurement processes.  Keep records when introducing media into the environment.  Update those records or when the media leaves the place it was last used.

Relevant media varies based on hardware or software specifications and system interconnections. Storage devices may not identify the type of media used for data storage. Many items will contain more than one form of media. These different forms may call for different methods of sanitization. The user must determine the media type and apply the appropriate sanitization procedures. Identify future plans for the media. Organizations may recycle media or reuse it to conserve resources. It may be most cost-effective to destroy media not intended for reuse.  

Determine the need for sanitization

Consider who has access to the media and if it may leave organization control. Media under organization control may still include media turned over for maintenance.  In this case, contractual agreements must provide for the confidentiality of the information. Onsite supervised maintenance is also considered under the control of the organization. Media sent with no expectation of return are not considered under organizational control. This applies to warranty exchanges, returning leased devices and other situations.

Identify data protection policies governing internal and external rules requiring necessary controls. Data protection is a complementary consideration when identifying if sanitization is necessary.

Determine the appropriate level of sanitization

Identify and develop methods to conduct media sanitization before disposing components. Consider the cost versus benefit trade-off of sanitization before making a final determination. Select the appropriate method(s) of sanitization to mitigate the loss of confidentiality. NIST provides a decision flow chart to help determine what type of sanitization. The media type will influence the technique(s) used to achieve the sanitization goal.

‍Document and resource the sanitization plan

Record the sanitization decision and ensure that a process is in place to support it. This includes capturing decisions, identifying resources, sanitization actions, and verification. The process should identify responsibilities of key roles. Include calibration, equipment testing, and scheduled maintenance when using sanitization tools. Organizations should also ensure equipment operators are competent to perform sanitization functions.  

‍Verification of results

Organizations should verify sanitization either after each application or through a representative sampling. The highest level of assurance requires a full reading of all accessible areas.  Verify the expected sanitized value is in all addressable locations.  Organizations should perform full verification if time and external factors permit. If possible, personnel not part of sanitization action should perform the verification.

When verifying sanitization using a representative sampling, consider three main goals:

1. Select pseudo-random locations on the media each time for analysis.
2. Select locations across the addressable space (user addressable and reserved areas). Logical block addressing (LBA) is a common scheme that specifies data block locations. For devices leveraging LBA, divide the space into at least one thousand sections . Select at least two non-overlapping pseudo-random locations from within each section. Also include the first and last addressable location on the storage device.
3. Each consecutive sample location should cover at least 5% of the subsection. The resulting verification should cover at least 10% of the media. 

Select a random subset of at least 20% of sanitized media for verification using a different tool. A separate developer should verify this subset of sanitized media.

‍Documentation

Update maintenance records when the media reaches the sanitization destination. Documentation details may depend on the confidentiality level of the media. When required, complete a certificate of media disposition for sanitized electronic media. This may include either an electronic or paper record of the action taken. The certificate should record at least the following details:

‍Media Markings

If sanitization lowers the media confidentiality level, remove markings of the previous level. Apply new markings indicating the updated confidentiality level. This will help prevent reintroduction of sensitive data to the sanitized media.

‍Tracking sanitization 

Organizations should track media sanitization efforts. Maintain records when introducing, moving, or sanitizing media. Record keeping helps track sanitization for all media introduced into the operating environment.

Sanitization renders access to data on media infeasible for a given level of effort. Some storage devices support enhanced commands for sanitization. Other components may not have an effective command or interface-based sanitization techniques. In these cases, the only option may be to destroy the media.

Sanitization methods include the following:

‍Clear 

Clear applies logical techniques to sanitize data in all user-addressable storage locations. This technique uses the standard Read and Write commands of the storage device. You cannot overwrite damaged media or media that is not rewriteable. Overwriting may not address all areas of the device. The media type and size may influence whether overwriting is a suitable method. The clear operation may vary for media other than dedicated storage devices. Factory resets that do not include rewriting may be the only option to clear the device or media. These meet the definition for Clear as long as the device interface does not retrieve the data.

‍Purge

Purging renders data recovery infeasible using state of the art laboratory techniques. Logical methods of purging include overwrite, block erase, and Cryptographic Erase. Standardized sanitization commands use media-specific purging techniques. This bypasses the abstraction inherent in typical read and write commands. 

Physical techniques also render devices purged. This includes incineration, shredding, disintegration, degaussing, and pulverizing. Bending, cutting, and the other emergency procedures may only damage the media. Undamaged portions may remain accessible using advanced laboratory techniques. 

Degaussing renders a magnetic device purged. The strength of the degausser should match the media coercivity. Coercivity is the resistance of a magnetic material to become demagnetized.  Users should refer to the device manufacturer details to determine the media coercivity.  Do not use degaussing on devices that contain non-volatile non-magnetic storage. Degaussing renders many devices unusable, in those cases it is a destructive technique.

Cryptographic Erase (CE) is an emerging sanitization technique. It is useful for sanitizing encrypted data  stored in the media. CE sanitizes the cryptographic keys used to encrypt the data.  This technique is quick and supports sanitizing a subset of the storage media. This is especially useful in cloud computing environments and mobile devices. Organizations implementing CE should seek assurance that cryptographic modules are FIPS 140-2 validated. 

It is more difficult to verify the effectiveness of CE. If you are unable to verify CE sanitization, use alternative methods.  You may also use CE in combination with a verifiable sanitization technique. You may not know the contents of the encrypted media. There are two options for verifying CE if you have access to read the data. Both use representative sampling:

1. Read the pseudorandom locations before and after CE to compare the results.
2. Search for strings across the media or look for files that are in known locations.

‍Destroy

Some techniques may render the data infeasible to retrieve through the device interface. Some techniques may render the device unusable. Destruction implies data retrieval is infeasible using state of the art laboratory techniques. Destructive techniques may be the only option when the media fails. It is also useful when you are unable to apply or verify the effectiveness of Clear or Purge techniques.

‍Disintegrate, pulverize, melt, and incinerate completely destroy the media. Outsourced metal destruction or licensed incineration facilities with specific capabilities perform these activities.  

Shredding may destroy flexible media removed from their outer containers. The shred size should be small enough to prevent data reconstruction. Mix non-sensitive material with sensitive data to make reconstruction more difficult when shredding.

Types of Media and Sanitization Methods

NIST provides the following recommendations for sanitizing specific media. Other methods exist to Clear, Purge, and Destroy. Organizations may use other verifiable and satisfactory methods. You may find information elsewhere about settings for items not in this list. Trusted sources include manufacturer recommendations or DISA Security Technical Implementation Guides (STIGs).

‍Hard Copy 

Physical representatives of information are most often associated with paper and microfilms. This also includes printer and facsimile ribbons, drums, and platens. The supplies associated with producing paper printouts are often the most uncontrolled. Hard copy materials that leave an organization without effective sanitization present a risk.  Dumpster divers and over-curious employees may access sensitive information on discarded media. 

‍Destroy by:

• Shredding - Use cross cut shredders that produce particles sizes 1 mm x 5 mm or smaller. 
• Pulverize/Disintegrate - Use devices equipped with a 2.4 mm security screen.
• Burning - destroy reduced image photo negatives by burning. Reduce residue to white ash.

‍Networking devices (routers and switches)

Home office and enterprise routers and switches are examples of networking devices. Network Devices may contain removeable storage. Remove the removable media and sanitize using media-specific techniques. Most routers and switches only offer capabilities to Clear the data contents. Identify if routers and switches offering Purge capabilities apply media-dependent techniques. This includes block erasing or rewriting to ensure that data recovery is infeasible.   

‍Clear by:

• Factory reset - reset the router or switch back to its factory default settings

Destroy by:

• Shred, Disintegrate, Pulverize or Incinerate by burning in a licensed incinerator.

Mobile devices 

Mobile devices include smartphones, tablets, cell phones, and personal digital assistants (PDAs). Sanitization processes may not address mobile devices with nonvolatile removable memory. Contact the manufacturer to determine the types of data stored on removable memory. Before sanitizing a device, backup data to a safe place. Following the Clear/Purge operation, verify removal of personal information. Treat sanitizations performed via a remote wipe as a Clear option. It is not possible to verify the sanitization results of remote wipes. The following destruction methods apply to any mobile device:

‍Destroy by: 

• Shred, Disintegrate, Pulverize or Incinerate by burning in a licensed incinerator.

Apple iPhone and iPad

Current iPhones have hardware encryption turned on by default. Apple devices support Cryptographic Erase for encrypted data.

Clear or Purge by:

• Full Sanitization - Settings > General > Reset > Erase All Content and Settings

Devices running the Google Android OS

Connect to power before starting encryption. The capabilities of Android devices vary by device manufacturers and service providers. The factory data reset level of assurance may depend on architectural details. Some versions of Android support encryption and may support Cryptographic Erase. Refer to the manufacturer to identify whether the device has a purge capability.  Confirm that it uses media-dependent sanitization techniques to ensure data recovery is infeasible. 

Clear by:

• Factory reset - Settings > User and Backup > Backup and reset > Factory data reset

Purge by:

• Use the eMMC Secure Erase or Secure Trim command. Other methods may exist depending on the device’s storage media.

Windows Phone

Encryption may depend on centralized management. The capabilities of Windows Phone devices vary by device manufacturers and service providers. The factory data reset level of assurance may depend on architectural details. In some environments, Windows Phone devices may support encryption and Cryptographic Erase. Refer to the manufacturer or to identify whether the device has a purge capability. Ensure that it uses media-dependent sanitization techniques to ensure data recovery is infeasible.

Clear by:

• Factory reset - Settings > About > Reset your phone > Yes

Purge by:

• Use the eMMC Secure Erase or Secure Trim command. Other methods may exist depending on the device’s storage media.

Blackberry

Centralized management (BES) allows for device encryption. Refer to the manufacturer for information on the proper sanitization procedures. Procedures vary by device and operating system.

Clear or Purge by: 

• BB OS 10.x Decrypt media card before continuing. Select Settings, Security and Privacy, Security Wipe. Type “blackberry” in the text field, then click on “Delete Data”.

All other mobile devices

This includes cell phones, smart phones, and PDAs not covered in the sections above. For both Clear and Purge, refer to the manufacturer for proper sanitization procedures. Many manufacturers only offer capabilities to Clear the data contents. Refer to the manufacturer to identify whether the device has a purge capability. Ensure that it uses media-dependent sanitization techniques to ensure data recovery is infeasible.

Clear by:

• Factory reset - delete all information then perform a full manufacturer’s reset. 

Equipment

Most office equipment only offers capabilities to Clear the data contents. Office equipment may have removable storage media. If so, apply media-dependent sanitization techniques to the associated storage device. Refer to the manufacturer to identify whether the device has a purge capability. Ensure that it applies media-dependent sanitization techniques to ensure data recovery is infeasible.  For both Clear and Purge, verify removal of personal information.

Remove and destroy the associated supplies following legal, environmental, and health guidelines. Some supplies may contain impressions of data printed by the machine. These may pose a risk of data exposure. If the device is functional, print a blank page, then an all-black page, then another blank page. For color enabled devices, print one page of each color between blank pages. Handle the printed sheets at the confidentiality of the office equipment. These procedures do not apply to supplies on a one-time use roll.

Clear by:

• Factory reset - reset the office equipment back to its factory default setting

Destroy by: 

• Shred, Disintegrate, Pulverize or Incinerate by burning in a licensed incinerator.

Magnetic media 

A single overwrite pass with a fixed pattern hinders recovery of data. This may not address areas not mapped to the Logical Block Addressing (LBA) addresses. Dedicated sanitization commands support addressing these areas. You should request vendor assurance that the implementation produced the expected result. Degaussing magnetic media has become more complicated. Emerging variations of magnetic recording incorporate media with higher coercivity (magnetic force). Existing degaussers may not have enough force to degauss such media. Degaussing magnetic disks may render the disk unusable. The following destruction and purge methods apply to any magnetic media:

A destruction facility may ask you to separate components for recycling measures.  

Purge by: 

• Degauss with an approved degausser rated at the required strength for the media.

Destroy by:

• Incinerate floppy disks and diskettes by burning in a licensed incinerator or Shred

Floppies and flexible or fixed magnetic disks

Clear by:

• Overwrite media using approved software. Perform verification on the overwritten data. The Clear pattern should be at least a single write pass with a fixed data value, such as all zeros. You may use more than one write passes or more complex values. 

Reel and Cassette Format Magnetic Tapes

Clear by: 

• Overwrite all data on the tape using an approved pattern. Use a system with similar characteristics to the original one that recorded the data. Overwrite all portions of the magnetic tape one time with known non-sensitive signals. Clearing magnetic tape by overwriting occupies the tape transport for excessive time periods. 

ATA and SCSI Hard Disk Drives (HDDs)

Perform verification for each technique within Clear and Purge, except degaussing. The assurance provided by degaussing depends on selecting and applying an effective degausser. Check the results to ensure it is working as expected on a regular basis. The following clear methods apply to ATA and SCSI HDDs:

Clear by: 

• Overwrite media using approved and validated overwriting technologies, methods, or tools. The Clear pattern should be at least a single write pass with a fixed data value, such as all zeros. You may also use more than one pass or more complex values.

Advanced Technology Attachment (ATA)

The storage device may restrict the ability to access portions of the media. This includes the Host Protected Area, Device Configuration Overlay, or Accessible Max Address. Reset  configuration that limit access to the addressable area of the storage media. Sanitization may impact the ability to recover unless reinstallation media is also available.

Purge by: 

• Use one of the ATA Sanitize Device feature set commands. This may include the overwrite EXT command or CRYPTO SCRAMBLE EXT command. 
• Use the ATA Security feature set’s SECURE ERASE UNIT command in Enhanced Erase mode. Use of this command is not recommended without consulting the manufacturer. Verify that the model-specific implementation meets the needs of the organization. 
• CE through the Trusted Computing Group Opal Security Subsystem Class or Enterprise SSC. Issue commands as necessary to change all Media Encryption Kits (MEKs).
• Degauss in an approved automatic degausser. Dissemble the hard disk drive and Purge the  with an approved degaussing wand. Degaussing the media in a storage may render the device unusable.

Small Computer System Interface (SCSI) Hard Disk Drives

The device may restrict the ability to access portions of the media. This includes the block descriptor’s NUMBER OF LOGICAL BLOCKS field. Reset configurations limiting access to the addressable area of the storage media.

Purge by:

• Apply the SCSI SANITIZE command. This may include the OVERWRITE and or the CRYPTOGRAPHIC ERASE service action. 
• Cryptographic Erase through the TCG Opal SSC or Enterprise SSC.  Issue commands as necessary to change all MEKs.
• Degauss in an approved automatic degausser. Dissemble the hard disk drive and Purge  with an approved degaussing wand. Degaussing the media in a storage may render the device unusable.

Peripheral attached storage

External hard drives may have unaddressed hidden storage when removed from their enclosure. The device manufacturer may leverage proprietary commands to interact with the security subsystem. Refer to the manufacturer to identify whether any reserved areas exist in the media. Identify whether any tools are available to remove or sanitize them, if present.

Clear by: 

• Overwrite media using approved and validated overwriting technologies, methods, or tools. The Clear pattern should be at least a single write pass with a fixed data value, such as all zeros. You may also use more than one pass or more complex values.

Purge by: 

• Purge commands for attached Hard Drives vary across models. Refer to the manufacturer to identify whether the device has a Purge capability.  Ensure that it uses media-dependent techniques.

Destroy by:

• Shred, Disintegrate, Pulverize or Incinerate by burning in a licensed incinerator.

Optical media 

Compact disc (CD), digital versatile disc (DVD), and blu-ray disc (BD) are examples of optical media. 

Destroy by:

• Removing the information-bearing layers of CD media using an optical disk grinding device. This only applies to CD and not to DVD or BD media.
• Incinerate optical disk media (reduce to ash) using a licensed facility.
• Use optical disk media shredders or disintegrator devices. Reduce particles that have a nominal edge dimension of 0.5 mm and surface area of 0.25mm² or smaller.

Flash memory-based storage devices

Flash memory-based storage devices include ATA SSDs, SSSDs, NVM Express SSDs, Memory Cards. Embedded Flash Memory on Boards and devices includes motherboards and peripheral cards. This includes network adapters or any other adapter containing non-volatile flash memory. Overwriting flash-based media may reduce the effective lifetime of the media. Overwriting may not sanitize the data in unmapped physical media. 

Do not rely on degaussing as a sanitization technique for flash memory-based devices. You may use degaussing  when non-volatile flash memory media is present. Use media-dependent techniques for flash memory components. The following destruction methods apply to flash memory-based devices:

Destroy by:

• Shred, Disintegrate, Pulverize or Incinerate by burning in a licensed incinerator.

ATA SSDs, SSSDs, NVM Express SSDs, and Memory Cards

Clear by:

• Overwrite media using approved and validated overwriting technologies, methods, or tools. The Clear pattern should be at least a single write pass with a fixed data value, such as all zeros. You may also use more than one pass or more complex values. 

Advanced Technology Attachment (ATA) Solid State Drives (SSDs)

Purge by:

• Apply the ATA sanitize command, if support. This may include the BLOCK ERASE command and or the SANITIZE CRYPTO SCRAMBLE command.
• Cryptographic Erase through the TCG Opal SSC or Enterprise SSC.  Issue commands as necessary to change all MEKs.

Small Computer System Interface (SCSI) Solid State Drives SSDs

Purge by:

• Apply the SCSI SANITIZE command. This may include the OVERWRITE and or the CRYPTOGRAPHIC ERASE service action. 
• Cryptographic Erase through the TCG Opal SSC or Enterprise SSC.  Issue commands as necessary to change all MEKs.

NVM Express SSDs

Purge by:

• Apply the NVM Express Format command, if supported. This may include the User Data Erase or the Cryptographic Erase command.
• Cryptographic Erase through the TCG Opal SSC or Enterprise SSC.  Issue commands as necessary to change all MEKs.

USB Removable Media

This category includes pen drives, thumb drives, flash memory drives, and memory sticks. 

Purge by:

• Most USB removable media do not support sanitize commands. If supported, the interfaces are not standardized across these devices. Refer to the manufacturer for details about the availability of sanitization features. 

Memory Cards

This category includes secure digital, high capacity, multimedia cards, and compact flash memory. It also includes Microdrive, and MemoryStick. Clear and Destroy as described above under Flash Memory-Based Storage Devices.

Embedded Flash Memory on Boards and Devices

Traditional media sanitization guidelines do not address embedded flash memory. The increasing use of flash memory has increased the odds that sensitive data may be present. Clearing it may involve interacting with more than one interface to reset the device. Applying destructive techniques to flash memory is becoming more challenging. The necessary grinding particle size goes down as storage density increases. 

Clear by: 

• Factory reset - if supported, return the device to original factory settings. Overwrite techniques do not address the risk of unintentional disclosure. 

RAM and ROM-based Storage Devices

Dynamic Random Access Memory (DRAM)

Clear/Purge by:

• Power off device containing DRAM. Remove from the power and remove the battery-backed. You may also remove the DRAM from the device.

Destroy by:

• Shred, disintegrate, or pulverize.

Electronic Alterable Programmable Read Only Memory (EAPROM)

Clear/Purge by:

• Perform a full chip Purge as per manufacturer’s data sheets.

Destroy by:

• Shred, disintegrate, or pulverize.

Electronic Erasable Programmable Read Only Memory  (EEPROM)

Clear/Purge by:

• Overwrite media by using approved and validated overwriting technologies, methods, or tools.

Destroy by:

• Shred, disintegrate, pulverize, or incinerate by burning the device in a licensed incinerator.

A continuous monitoring task verifies that controls produce their desired outcome(s). The practice 3.8.3 has two desired outcomes:

• Sanitize or destroy media containing sensitive information before disposal
• Sanitize media containing sensitive information before releasing for reuse

Developing maintenance logs helps document sanitization of system media. Sanitization log details should include:

• Personnel and actions performed
• Types of media sanitized
• Files stored on the media
• Sanitization methods used
• Date and time of sanitization actions
• Verification actions taken

‍System Component Inventory

• Information Security categorizes the confidentiality level of all system components.

Media protection

• IT maintains an inventory of all digital media used by the system.
• Information Security documents the sanitization procedures for all media used by the system.
• IT maintains the accurate location of digital media in the maintenance log.
• IT sanitizes digital media before releasing it outside of the organization’s control.
• IT sanitizes any media reused in systems categorized at a lower confidentiality level.
• Information Security verifies the expected results after any media sanitization.
• Information Security documents all digital media sanitization actions.
• Information Security removes markings when reusing media lower confidentiality systems.
• Information Security trains all employees how to safeguard sensitive information.
• Information Security verifies destruction of all hard copy media disposed in shred bins.

Security Awareness Training

• Employees dispose of hard copy media containing sensitive data in locked shred bins.

Robe-based Training

• Information Security team members complete training before sanitizing media.
• Information Security team members tasked with sanitization complete annual training.

NIST SP 800-171 Rev 3 aligns 03.08.03 with MP-6 from SP 800-53 Rev 5. Rev 3 incorporates equipment sanitization (3.7.3) into 03.08.03. There is a single part within the updated practice:

• Sanitize media containing CUI before disposal, release, or reuse.

The crosswalk below shows the mapping of these requirements back to related parts of 3.8.3 and 3.7.3 from Revision 2:

Conclusion

Effective sanitization techniques are critical aspects of safeguarding sensitive data. That information may be on paper, optical, electronic, or magnetic media. Ensure no recoverable sensitive data is on the media before it leaves your control. Dumpster diving for disposed media is a rich source of illicit information collection. Mitigate this vulnerability by maintaining an inventory of media containing sensitive data. Sanitize media containing sensitive information before it leaves your control.