Skip to main content
NetStable
Level 2 MA.L2-3.7.3

Ensure equipment removed for off-site maintenance is sanitized of any CUI

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This control means that any equipment (like laptops, servers, or hard drives) sent to an external vendor or location for repairs or maintenance must have all Controlled Unclassified Information (CUI) completely removed or securely erased beforehand. Think of it like shredding sensitive documents before throwing them away—but for digital data. For example, if a contractor sends a malfunctioning server to a third-party repair shop, they must ensure no CUI remains on the device. Another example: A laptop with CUI sent to the manufacturer for warranty repairs must be wiped clean or have its storage drive replaced before leaving your facility.

🎯 Why It Matters

Failure to sanitize equipment risks exposing CUI to unauthorized parties, leading to data breaches, contract penalties, or loss of DoD trust. In 2020, a defense contractor faced a $8.5M fine after a hard drive containing CUI was sold on eBay without proper sanitization. The DoD requires this control because off-site maintenance vendors often lack the same security clearances or controls as your organization. A single oversight could compromise national security or intellectual property. CMMC treats this as a Level 2 requirement because CUI must be protected throughout its lifecycle, even during maintenance.

How to Implement

  1. 1. For cloud-managed devices (e.g., Azure AD-joined laptops), enforce BitLocker encryption and remotely wipe devices before off-site transfer using Microsoft Endpoint Manager.
  2. 2. Document the sanitization process in your cloud maintenance policy, including roles responsible for approval and verification.
  3. 3. Use AWS Storage Gateway or similar tools to ensure no CUI persists on physical appliances returned to cloud providers.
  4. 4. Maintain logs of sanitization actions in your SIEM (e.g., Splunk or Azure Sentinel).
  5. 5. Require vendors to sign a CUI sanitization acknowledgment form for cloud-related hardware.
⏱️
Estimated Effort
Initial setup: 8-16 hours (IT staff). Ongoing: 1-2 hours per device (junior technician).

📋 Evidence Examples

Equipment Sanitization Log

Format: Spreadsheet (Excel/Google Sheets)
Frequency: Updated per incident
Contents: Date, Device ID, Sanitization method (e.g., NIST 800-88 Clear), Technician name, Verifier name
Collection: Export from asset management system or manual log

Vendor Acknowledgment Form

Format: PDF (scanned signed copy)
Frequency: Per maintenance event
Contents: Vendor name, Equipment received date, Statement confirming no CUI present
Collection: Store in shared drive with restricted access

Sanitization Procedure Document

Format: Word/PDF policy
Frequency: Annual review
Contents: Step-by-step instructions, approved tools list, roles/responsibilities
Collection: Version-controlled in document management system

Training Records

Format: HR system export
Frequency: Annual
Contents: Staff names, training date, quiz scores on sanitization policy
Collection: LMS report or signed attendance sheets

Destruction Certificates

Format: Vendor-provided PDF
Frequency: Per destruction event
Contents: Serial numbers of destroyed media, destruction method, date
Collection: File with procurement records

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For MA.L2-3.7.3 ("Ensure equipment removed for off-site maintenance is sanitized of any CUI"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how system maintenance is controlled, including scheduling, change management, tool approval, remote maintenance security, and personnel authorization. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"MA.L2-3.7.3 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to ensure equipment removed for off-site maintenance is sanitized of any cui. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"MA.L2-3.7.3 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to ensure equipment removed for off-site maintenance is sanitized of any cui. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"MA.L2-3.7.3 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify systems within the CUI boundary requiring maintenance
  • Document maintenance windows and change control process
  • Specify remote maintenance tools and access controls
  • Ensure this control covers all systems within your defined CUI boundary where ensure equipment removed for off-site maintenance is sanitized of any cui applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Maintenance Policy
  • 📄 Change management records
  • 📄 Approved maintenance tool inventory
  • 📄 Remote maintenance session logs
  • 📄 Evidence artifacts specific to MA.L2-3.7.3
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will review maintenance records for proper approval workflow, verify remote maintenance uses MFA and is logged, and check that non-company maintenance personnel are supervised.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you maintain an inventory of all equipment containing CUI?

✅ YES → Proceed to Q2
❌ NO → GAP: Implement an asset management system (e.g., Snipe-IT) within 30 days to track CUI-capable devices.
Remediation:
Document all devices that process/store CUI; tag them for priority sanitization.

Question 2: Is there a documented procedure for sanitizing equipment before off-site maintenance?

✅ YES → Proceed to Q3
❌ NO → GAP: Draft a procedure using NIST SP 800-88 templates within 2 weeks.
Remediation:
Include wipe methods, verification steps, and exception handling.

Question 3: Are staff trained on sanitization procedures at least annually?

✅ YES → Proceed to Q4
❌ NO → GAP: Schedule training within 60 days; record attendance and test comprehension.
Remediation:
Use free NIST resources for training materials.

Question 4: Do you maintain logs of sanitization actions for each device?

✅ YES → Proceed to Q5
❌ NO → GAP: Create a sanitization log template and retroactively document recent maintenance events within 14 days.
Remediation:
Logs must include device ID, method, date, and verifying staff.

Question 5: Do you obtain signed vendor acknowledgments for equipment without CUI?

✅ YES → COMPLIANT
❌ NO → GAP: Add vendor acknowledgment to procurement contracts; implement immediately for new requests.
Remediation:
Template available from Defense Industrial Base (DIB) cybersecurity resources.

⚠️ Common Mistakes (What Auditors Flag)

1. Assuming encryption equals sanitization

Why this happens: Misunderstanding NIST guidelines that encrypted media still requires sanitization.
How to avoid: Always perform cryptographic erase + overwrite for encrypted devices.

2. No verification step

Why this happens: Relying solely on the technician who performed the wipe.
How to avoid: Require a second staff member to confirm sanitization using tools like FTK Imager.

3. Missing logs for 'minor' maintenance

Why this happens: Not tracking peripherals (e.g., printers) that may store CUI.
How to avoid: Include all equipment types in the sanitization policy.

4. Outdated vendor agreements

Why this happens: Failing to update contracts to include CUI clauses.
How to avoid: Annual legal review of maintenance vendor contracts.

5. No contingency for failed sanitization

Why this happens: Lack of procedures when wipe tools fail.
How to avoid: Define fallback methods (e.g., physical destruction) in the policy.

📚 Parent Policy

This practice is governed by the Maintenance Policy

View MA Policy →

📚 Related Controls

MP.L2-3.8.3 (Media sanitization) CP.L2-3.13.11 (Equipment disposal) RA.L2-3.11.2 (Risk assessments for external services)
Previous
MA.L2-3.7.2
Back to MA
Next
MA.L2-3.7.4