Reference: CMMC 2.11
Family: MP
Level Introduced: 2
Title: Media Disposal [CUI Data]
Practice:
Sanitize or destroy information system media containing CUI before disposal or release for reuse.
CMMC Clarification:
In this case, "media" can mean something as simple as paper, or storage devices like diskettes, disks, tapes, microfiche, thumb drives, CDs and DVDs, and even mobile phones. It is important to see what information is on these types of media. If there is Federal contract information (FCI)-information you or your company got doing work for the Federal government that is not shared publicly)-you or someone in your company should do one of two things before throwing the media away:
• clean or purge the information, if you want to reuse the device; or
• shred or destroy the device so it cannot be read.
See NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization for more information.
Example
You are moving into a new office. As you pack for the move, you find some of your old CDs in a file cabinet. When you load the CDs into your computer drive, you see that one has information about an old project your company did for the Department of Defense (DoD). Rather than throw the CD in the trash, you make sure that it is shredded.
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-171 Requirements (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-53 Controls (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.