MP-06 Media Sanitization
a. Sanitize mp-6_prm_1 prior to disposal, release out of organizational control, or release for reuse using mp-6_prm_2 ; and
b. Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.
|mp-6_prm_1||organization-defined system media|
|mp-6_prm_2||organization-defined sanitization techniques and procedures|
|mp-06_odp.04||sanitization techniques and procedures|
|mp-06_odp.05||sanitization techniques and procedures|
|mp-06_odp.06||sanitization techniques and procedures|
Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques—including clearing, purging, cryptographic erase, de-identification of personally identifiable information, and destruction—prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information.
- 32 CFR 2002 Code of Federal Regulations, Title 32, *Controlled Unclassified Information* (32 C.F.R. 2002).
- OMB A-130 Office of Management and Budget Memorandum Circular A-130, *Managing Information as a Strategic Resource* , July 2016.
- NARA CUI National Archives and Records Administration, Controlled Unclassified Information (CUI) Registry.
- FIPS 199 National Institute of Standards and Technology (2004) Standards for Security Categorization of Federal Information and Information Systems. (U.S. Department of Commerce, Washington, D.C.), Federal Information Processing Standards Publication (FIPS) 199.
- SP 800-60-1 Stine KM, Kissel RL, Barker WC, Fahlsing J, Gulick J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 1, Rev. 1.
- SP 800-60-2 Stine KM, Kissel RL, Barker WC, Lee A, Fahlsing J (2008) Guide for Mapping Types of Information and Information Systems to Security Categories: Appendices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-60, Vol. 2, Rev. 1.
- SP 800-88 Kissel RL, Regenscheid AR, Scholl MA, Stine KM (2014) Guidelines for Media Sanitization. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-88, Rev. 1.
- SP 800-124 Souppaya MP, Scarfone KA (2013) Guidelines for Managing the Security of Mobile Devices in the Enterprise. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Special Publication (SP) 800-124, Rev. 1.
- IR 8023 Dempsey KL, Paulsen C (2015) Risk Management for Replication Devices. (National Institute of Standards and Technology, Gaithersburg, MD), NIST Interagency or Internal Report (IR) 8023.
- NSA MEDIA National Security Agency, *Media Destruction Guidance*.
Control Enhancements 8
- MP-06(01) Review, Approve, Track, Document, and Verify L M H P
- MP-06(02) Equipment Testing L M H P
- MP-06(03) Nondestructive Techniques L M H P
- MP-06(04) Controlled Unclassified Information
- MP-06(05) Classified Information
- MP-06(06) Media Destruction
- MP-06(07) Dual Authorization L M H P
- MP-06(08) Remote Purging or Wiping of Information L M H P
Related controls 12
- AC-03 Access Enforcement L M H P
- AC-07 Unsuccessful Logon Attempts L M H P
- AU-11 Audit Record Retention L M H P
- MA-02 Controlled Maintenance L M H P
- MA-03 Maintenance Tools L M H P
- MA-04 Nonlocal Maintenance L M H P
- MA-05 Maintenance Personnel L M H P
- PM-22 Personally Identifiable Information Quality Management L M H P
- SI-12 Information Management and Retention L M H P
- SI-18 Personally Identifiable Information Quality Operations L M H P
- SI-19 De-identification L M H P
- SR-11 Component Authenticity L M H P