Reference: CMMC v2.11
Family: MP
Level Introduced: 1
Title: Media Disposal [FCI Data]
Practice:
Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
Further Discussion:
Media can include a broad range of items that store information, including paper documents, disks, tapes, digital photography, USB drives, CDs, DVDs, and mobile phones. It is important to know what information is on media so that you can handle it properly. If there is FCI, you or someone in your company should either:
• shred or destroy the device before disposal so it cannot be read; or
• clean or purge the information, if you want to reuse the device.
See NIST Special Publication 800-88, Revision 1, Guidelines for Media Sanitization, for more information.
Example
As you pack for an office move, you find some old CDs in a file cabinet. You determine that one has FCI from a project your company did for the DoD. You shred the CD rather than simply throwing it in the trash [a].
Potential Assessment Considerations
• Is all managed data storage erased, encrypted, or destroyed using mechanisms to ensure that no usable data is retrievable [a,b]?
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
800-171 Requirements v2 (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.