Requirement text: MA.3.115: Ensure equipment removed for off-site maintenance is sanitized of any
CUI.
DISCUSSION FROM SOURCE: DRAFT NIST SP 800-171 R2
This requirement addresses the information security aspects of system maintenance that are
performed off-site and applies to all types of maintenance to any system component
(including applications) conducted by a local or nonlocal entity (e.g., in-contract, warranty,
in-house, software maintenance agreement).
CMMC CLARIFICATION
Sanitization is a process that makes access to data infeasible on media such as a hard drive.
The process may overwrite the entire media with a fixed pattern such as binary zeros. In
addition to clearing the data an organization could purge (e.g., degaussing, secure erasing, or
disassembling) the data, or even destroy the media (e.g., incinerating, shredding, or
pulverizing). By performing one of these activities the data is extremely hard to recover,
thus ensuring its confidentiality.
If additional guidance on which specific santization actions should be taken on any specific
type of media, consider reviewing the description of the Purge actions given in NIST SP 800-
88 Revision 1 - Guidelines for Media Sanitization.
Example
You manage the IT equipment that is used for your organization. A recent Department of
Defense (DoD) project has been using a storage array for DoD Controlled Unclassified
Information (CUI). Recently the array has experienced disk issues. After troubleshooting
with the vendor they recommend several drives be replaced in the array. Knowing the drives
may have CUI information you plan to run software on the drives using software that
performs a wipe pattern that removes any data and device protection across the entire drive.
Once all the drives have been wiped you document the action and ship the faulty drives to
the vendor.
References
• NIST SP 800-171 Rev 1 3.7.3
• CERT RMM v1.2 TM:SG5.SP2
• NIST SP 800-53 Rev 4 MA-2