CMMC Practice Requirement:

Sanitize or destroy information system media containing Federal Contract Information or controlled unclassified information before disposal or release for reuse.

CMMC Requirement Explanation:

This requirement seeks to ensure that “Federal Contract Information” (FCI) and “Controlled Unclassified Information” (CUI) is not recoverable by unauthorized persons after disposal. Adversaries can recover information digital and non-digital media if no properly disposed. Digital media includes hard drives, thumb drives, floppy disks, backup tapes etc. Non-digital media refers to paperwork. Digital media that will be thrown away needs to be shredded. If it is going to reused in your organization then it needs to be wiped using the DoD 5220.22-M data wipe method.

Example CMMC Implementation:

Before you dispose of (e.g. throw in the trash) any digital storage devices such as a hard drive from a computer or a USB thumb drive you need to ensure that none of the data on it is recoverable. Accomplished this by physically destroying the device (shearing or crushing it) or by using software to remove all of the data. The software you use should remove the data using the DoD 5220.22-M data wipe method. An example of software that can do this is DBAN. Properly dispose of paper containing “Federal Contract Information” (FCI) or “Controlled Unclassified Information” (CUI) by shredding it. Use a cross-cut shredder that produces 1 mm x 5 mm particles or smaller.

Scenario(s):

- Scenario 1:

Alice, a system administrator needs to dispose of old laptop hard drives containing federal contract information and controlled unclassified information. Instead of simply deleting the files on the laptop and reinstalling the operating system to clear the data on the drives she takes the hard drives to a local hard drive destruction service and has them crushed. Alice receives a receipt from the service verifying that the devices have been crushed. She stores the receipt in her company records.

- Scenario 2:

Alice needs to dispose of old laptop hard drives that previously stored “Federal Contract Information” (FCI) and “Controlled Unclassified Information” (CUI) . She takes the hard drives to a local hard drive destruction service and has them crushed. Alice gets a receipt from the service verifying that the devices have were crushed. She stores the receipt in her company records.

- Scenario 3:

Chris has a pile of paperwork containing “Federal Contract Information” (FCI) and “Controlled Unclassified Information” (CUI). Instead of using a regular shredder he uses the special shredder his company purchased to destroy “Controlled Unclassified Information” (CUI).
 

Discover Our NIST SP 800-171 Solutions:

 /assets/images/compliance_accelerator_white.png

Compliance Accelerator

For contractors seeking compliance
 /assets/images/quantum_assessor_white.png

Quantum Assessor

For IT service providers
 /assets/images/supply_chain_logo_white.png

Supply Chain Verifier

For contractors seeking to verify partner compliance