NIST SP 800-171 & CMMC 2.0 3.8.3 Requirement:
Sanitize or destroy information system media containing Federal Contract Information or controlled unclassified information before disposal or release for reuse.
NIST SP 800-171 & CMMC 2.0 3.8.3 Requirement Explanation:
This requirement seeks to ensure that “Controlled Unclassified Information” (CUI) is not recoverable by unauthorized persons after disposal. Adversaries can recover information from digital and non-digital media if they are not properly disposed of. Digital media includes hard drives, thumb drives, floppy disks, and backup tapes. Non-digital media refers to paperwork and microfilm.
Example NIST SP 800-171 & CMMC 2.0 3.8.3 Implementation:
Before you dispose of (e.g., throw in the trash) any digital storage devices such as a hard drive from a computer or a USB thumb drive you need to ensure that none of the data on it is recoverable. Accomplish this by physically destroying the device (shearing or crushing it). If you want to reuse the drive use software to remove all of the data. The software you use to remove the data should use the DoD 5220.22-M data wipe method. An example of software that can do this is DBAN. Properly dispose of paper containing “Controlled Unclassified Information” (CUI) by shredding it. Use a cross-cut shredder that produces 1 mm x 5 mm particles or smaller for shredding
NIST SP 800-171 & CMMC 2.0 3.8.3 Scenario(s):
- Scenario 1:
Alice, a system administrator needs to dispose of old laptop hard drives. The hard drives contain "controlled unclassified information". Instead of simply deleting the files on the laptop and reinstalling the operating system she takes the hard drives to a local hard drive destruction service and has them crushed. Alice receives a receipt from the service verifying that the devices have been crushed. She stores the receipt in her company records.
- Scenario 2:
Chris has paperwork containing “Controlled Unclassified Information” (CUI). Instead of using a regular shredder, he uses the special shredder his company purchased to destroy “Controlled Unclassified Information” (CUI). The special cross-cut shredder turns the paper into 1 mm x 5 mm particles when it is shred.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.