>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

MP-6 (03)Media Sanitization | Nondestructive Techniques

High

>Control Description

Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: organization-defined circumstances requiring sanitization of portable storage devices.

>FedRAMP Baseline Requirements

Additional Requirements and Guidance

MP-6 (3) Requirement: Must comply with NIST SP 800-88

>Discussion

Portable storage devices include external or removable hard disk drives (e.g., solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code.

Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices.

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What formal policies and procedures govern the implementation of MP-6(3) (Nondestructive Techniques)?
  • Who are the designated roles responsible for implementing, maintaining, and monitoring MP-6(3)?
  • How frequently is the MP-6(3) policy reviewed and updated, and what triggers policy changes?
  • What governance structure ensures MP-6(3) requirements are consistently applied across all systems?

Technical Implementation:

  • Describe the specific technical mechanisms or controls used to enforce MP-6(3) requirements.
  • What automated tools, systems, or technologies are deployed to implement MP-6(3)?
  • How is MP-6(3) integrated into your system architecture and overall security posture?
  • What configuration settings, parameters, or technical specifications enforce MP-6(3) requirements?

Evidence & Documentation:

  • What documentation demonstrates the complete implementation of MP-6(3)?
  • What audit logs, records, reports, or monitoring data validate MP-6(3) compliance?
  • Can you provide evidence of periodic reviews, assessments, or testing of MP-6(3) effectiveness?
  • What artifacts would you present during a FedRAMP assessment to demonstrate MP-6(3) compliance?

Ask AI

Configure your API key to use AI features.