>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.8.3Media Protection - Basic

Basic Requirement

>Control Description

Sanitize or destroy system media containing CUI before disposal or release for reuse.

>Discussion

This requirement applies to all system media, digital and non-digital, subject to disposal or reuse. Examples include: digital media found in workstations, network components, scanners, copiers, printers, notebook computers, and mobile devices; and non-digital media such as paper and microfilm. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed.

Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is released for reuse or disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction may be necessary when other methods cannot be applied to the media requiring sanitization. Organizations use discretion on the employment of sanitization techniques and procedures for media containing information that is in the public domain or publicly releasable or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal.

Sanitization of non-digital media includes destruction, removing CUI from documents, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing the words or sections from the document. NARA policy and guidance control sanitization processes for controlled unclassified information. [SP 800-88] provides guidance on media sanitization.

>Cross-Framework Mappings

CMMC

MP.L1-3.8.3
Compare

SCF

AST-01
Compare
AST-09
Compare
DCH-01
Compare
DCH-08
Compare
DCH-09
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern sanitization of media before disposal or reuse?
  • What procedures define sanitization methods by media type?
  • Who performs and verifies media sanitization?
  • How do you track media through the sanitization process?
  • What governance ensures media is not released unsanitized?

Technical Implementation:

  • What sanitization techniques do you employ (overwrite, degauss, destroy)?
  • How do you verify complete data removal from media?
  • What tools automate media sanitization?
  • How do you prevent reuse of unsanitized media?
  • What controls ensure destroyed media is irrecoverable?

Evidence & Documentation:

  • Can you provide media sanitization records?
  • What certificates of sanitization or destruction exist?
  • Can you demonstrate sanitization verification methods?
  • What logs track media disposal and sanitization?
  • What audit evidence proves media sanitization compliance?

Ask AI

Configure your API key to use AI features.