MP-6—Media Sanitization
>Control Description
Sanitize ⚙organization-defined system media prior to disposal, release out of organizational control, or release for reuse using ⚙organization-defined sanitization techniques and procedures; and
Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
>FedRAMP Baseline Requirements
No FedRAMP-specific parameter values or requirements for this baseline.
>Discussion
Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed.
Sanitization techniques--including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction--prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal.
Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information.
>Cross-Framework Mappings
>Programmatic Queries
Related Services
CLI Commands
aws ec2 describe-volumes --query 'Volumes[*].{Id:VolumeId,DeleteOnTermination:Attachments[0].DeleteOnTermination}'aws s3api get-bucket-lifecycle-configuration --bucket BUCKET_NAMEaws rds describe-db-instances --query 'DBInstances[*].{Id:DBInstanceIdentifier,DeletionProtection:DeletionProtection}'aws ec2 describe-snapshots --owner-ids self --query 'Snapshots[*].{Id:SnapshotId,State:State}'>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What formal policies and procedures govern the implementation of MP-6 (Media Sanitization)?
- •Who are the designated roles responsible for implementing, maintaining, and monitoring MP-6?
- •How frequently is the MP-6 policy reviewed and updated, and what triggers policy changes?
- •What governance structure ensures MP-6 requirements are consistently applied across all systems?
Technical Implementation:
- •Describe the specific technical mechanisms or controls used to enforce MP-6 requirements.
- •What automated tools, systems, or technologies are deployed to implement MP-6?
- •How is MP-6 integrated into your system architecture and overall security posture?
- •What configuration settings, parameters, or technical specifications enforce MP-6 requirements?
Evidence & Documentation:
- •What documentation demonstrates the complete implementation of MP-6?
- •What audit logs, records, reports, or monitoring data validate MP-6 compliance?
- •Can you provide evidence of periodic reviews, assessments, or testing of MP-6 effectiveness?
- •What artifacts would you present during a FedRAMP assessment to demonstrate MP-6 compliance?
Ask AI
Configure your API key to use AI features.