NIST SP 800-171 & CMMC 2.0 Control 3.8.3 Requirement:
Sanitize or destroy information system media containing Federal Contract Information or controlled unclassified information before disposal or release for reuse.
NIST SP 800-171 & CMMC 2.0 3.8.3 Requirement Explanation:
This requirement seeks to ensure that “Controlled Unclassified Information” (CUI) is not recoverable by unauthorized persons after disposal. Adversaries can recover information from digital and non-digital media if they are not properly disposed of. Digital media includes hard drives, thumb drives, floppy disks, and backup tapes. Non-digital media refers to paperwork and microfilm.
Example NIST SP 800-171 & CMMC 2.0 3.8.3 Implementation:
Before you dispose of (e.g., throw in the trash) any digital storage devices such as a hard drive from a computer or a USB thumb drive you need to ensure that none of the data on it is recoverable. Accomplish this by physically destroying the device (shearing or crushing it). If you want to reuse the drive use software to remove all of the data. The software you use to remove the data should use the DoD 5220.22-M data wipe method. An example of software that can do this is DBAN. Properly dispose of paper containing “Controlled Unclassified Information” (CUI) by shredding it. Use a cross-cut shredder that produces 1 mm x 5 mm particles or smaller for shredding
NIST SP 800-171 & CMMC 2.0 3.8.3 Scenario(s):
- Scenario 1:
Alice, a system administrator needs to dispose of old laptop hard drives. The hard drives contain "controlled unclassified information". Instead of simply deleting the files on the laptop and reinstalling the operating system she takes the hard drives to a local hard drive destruction service and has them crushed. Alice receives a receipt from the service verifying that the devices have been crushed. She stores the receipt in her company records.
- Scenario 2:
Chris has paperwork containing “Controlled Unclassified Information” (CUI). Instead of using a regular shredder, he uses the special shredder his company purchased to destroy “Controlled Unclassified Information” (CUI). The special cross-cut shredder turns the paper into 1 mm x 5 mm particles when it is shred.
Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:
Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.
Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.
Supply Chain Verifier
Trust is everything. Verify, monitor, and support subcontactor compliance.