Skip to main content
NetStable
Level 2 MP.L2-3.8.3

Sanitize or destroy system media containing CUI before disposal or release for reuse

What It Means Why It Matters How to Implement Evidence SSP Guidance Assessment Common Mistakes

📖 What This Means

This practice means you must ensure that any physical or digital storage media (like hard drives, USBs, or cloud storage) that contained Controlled Unclassified Information (CUI) is either completely wiped clean (sanitized) or physically destroyed before you throw it away or let someone else use it. Think of it like shredding sensitive paper documents before recycling—but for digital and electronic media. For example, if you're replacing old company laptops that stored CUI, you'd need to either use special software to erase all data permanently or physically destroy the hard drives. Another example: Before returning a leased cloud server, you'd need to verify all CUI is irrecoverably deleted.

🎯 Why It Matters

Failing to properly sanitize media can lead to catastrophic data breaches. In 2020, a defense contractor improperly sold used hard drives containing F-35 fighter jet schematics on eBay—resulting in a $8.6M DoD investigation. The average cost of a data breach in defense is $4.2M (IBM 2023). The DoD requires this control because CUI can persist on 'deleted' files through data remanence. Even reformatting isn't enough—advanced tools can recover 75% of 'deleted' data from un-sanitized drives. This practice prevents adversaries from dumpster diving or buying used equipment to harvest sensitive data.

How to Implement

  1. 1. For AWS: Use AWS Data Lifecycle Manager to automatically sanitize EBS volumes/Snapshots containing CUI before release (enable 'final snapshot' option with 1-day retention).
  2. 2. For Azure: Configure 'Purge protection' on Key Vaults storing CUI and use 'Secure Erase' API for managed disks.
  3. 3. In GCP: Enable 'Customer-Supplied Encryption Keys' for CUI storage, then revoke keys before media release.
  4. 4. Document sanitization via cloud provider's audit logs (e.g., AWS CloudTrail 'DeleteVolume' events).
  5. 5. For SaaS apps like SharePoint: Use Microsoft 365's 'Data Purge' feature with 7-pass DoD wipe standard.
⏱️
Estimated Effort
Initial setup: 8-16 hours (IT staff). Ongoing: 2-4 hours/month per 100 devices. Skill level: Mid-level sysadmin (can follow NIST SP 800-88 guidelines).

📋 Evidence Examples

Media Sanitization Policy

Format: PDF/DOCX
Frequency: Annual review
Contents: Approved methods per media type (e.g., 'SSDs: Cryptographic erase + 3-pass overwrite')
Collection: Export from document management system

Sanitization Certificates

Format: Signed PDF/CSV log
Frequency: Per device
Contents: Device ID, method used, date, technician name
Collection: Scan signed forms or export from asset management tool

Cloud Sanitization Logs

Format: AWS CloudTrail/Azure Activity Log export
Frequency: Monthly
Contents: 'DeleteVolume' events with timestamps
Collection: AWS CLI: `aws cloudtrail lookup-events`

Destruction Service Receipts

Format: Scanned vendor invoices
Frequency: Per service
Contents: NSA-approved destruction company's certificate
Collection: Accounts payable records

Employee Training Records

Format: LMS export
Frequency: Annual
Contents: Media handling training completion dates
Collection: HR system report

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For MP.L2-3.8.3 ("Sanitize or destroy system media containing CUI before disposal or release for reuse"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how CUI on media is protected throughout its lifecycle, including encryption, access controls, marking, transport procedures, sanitization methods, and accountability tracking. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"MP.L2-3.8.3 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to sanitize or destroy system media containing cui before disposal or release for r.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"MP.L2-3.8.3 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to sanitize or destroy system media containing cui before disposal or release for r.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"MP.L2-3.8.3 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

  • Identify all removable media types within the CUI boundary
  • Document media storage locations (on-site, off-site)
  • Specify media sanitization and destruction methods
  • Ensure this control covers all systems within your defined CUI boundary where sanitize or destroy system media containing cui before disposal or release for reuse applies
  • Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

  • 📄 Media Protection Policy
  • 📄 Media inventory database
  • 📄 Certificates of destruction
  • 📄 Transport chain-of-custody records
  • 📄 Evidence artifacts specific to MP.L2-3.8.3
  • 📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will check for CUI markings on media, verify encryption is enabled, review the media inventory for completeness, and examine destruction certificates.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you maintain an up-to-date inventory of all media storing CUI?

✅ YES → Proceed to Q2
❌ NO → GAP: Create a spreadsheet tracking device IDs, locations, and CUI content. Use tools like Lansweeper for automated discovery. Timeline: 2 weeks.
Remediation:
Implement weekly automated scans using PDQ Inventory or similar.

Question 2: Are sanitization methods aligned with NIST SP 800-88 for each media type?

✅ YES → Proceed to Q3
❌ NO → GAP: Document specific methods per media type (e.g., 'Hard drives: DoD 3-pass'). Timeline: 1 week.
Remediation:
Download NIST SP 800-88 Rev. 1 Appendix A as reference.

Question 3: Is there a documented chain of custody for media from CUI storage to destruction?

✅ YES → Proceed to Q4
❌ NO → GAP: Implement a sign-out log with employee names/dates. Timeline: 3 days.
Remediation:
Use a Google Form or SharePoint list for digital tracking.

Question 4: Are cloud storage volumes containing CUI sanitized before release?

✅ YES → Proceed to Q5
❌ NO → GAP: Configure AWS/Azure auto-sanitization policies. Timeline: 5 business days.
Remediation:
See AWS Data Lifecycle Manager documentation.

Question 5: Do you retain certificates of sanitization/destruction for 3 years?

✅ YES → COMPLIANT
❌ NO → GAP: Collect missing certificates from vendors/staff. Timeline: 30 days.
Remediation:
Create a 'Sanitization Records' folder in your document management system.

⚠️ Common Mistakes (What Auditors Flag)

1. Assuming cloud providers handle sanitization automatically

Why this happens: Misunderstanding shared responsibility model
How to avoid: Explicitly configure sanitization in cloud consoles and document settings

2. Using basic 'format' commands instead of certified wiping tools

Why this happens: Lack of awareness about data remanence
How to avoid: Train staff on NIST-approved tools like DBAN/Blancco

3. No quarantine period before disposal

Why this happens: Rushing to clear storage space
How to avoid: Designate a locked storage area for 30-day holding

4. Missing certificates for third-party destruction

Why this happens: Not requesting documentation from vendors
How to avoid: Add certificate requirement to vendor contracts

5. Forgetting sanitization for backup media

Why this happens: Focusing only on primary storage
How to avoid: Include backup tapes/disks in inventory and procedures

📚 Parent Policy

This practice is governed by the Media Protection Policy

View MP Policy →

📚 Related Controls

MP.L2-3.8.1 (Media marking) MP.L2-3.8.2 (Media access control) CP.L2-3.13.10 (Disposal of assets) RA.L2-3.11.1 (Periodic system scans)
Previous
MP.L2-3.8.2
Back to MP
Next
MP.L2-3.8.4