By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager
Note: Important Change as of November 2021
The Department of Defense announced a major overhaul to the Cybersecurity Maturity Model Certification (CMMC) program. No new contracts will feature CMMC compliance requirements until the Department completes its rulemaking process for CMMC 2.0. Read our summary of the changes, Goodbye CMMC 1.0, Hello CMMC 2.0. For more detailed information, visit the CMMC website.
Keiter’s Cybersecurity team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.
Editor’s note: This article is one of a series of articles about the CMMC Maturity Level (ML) 1 Practices. In these articles we dive in to the CMMC Practice Guides and provide our thoughts about the practices and what contractors should consider. The CMMC ecosystem is still developing, and as those developments occur, we will update these articles accordingly. As such, we hope that these articles represent an evergreen CMMC ML-1 resource.
CMMC Maturity Level (ML) 1 Practices: Overview of MP.L1-3.8.3
|Practice Number: MP.L1-3.8.3|
|Practice: Sanitize or destroy information system media containing Federal Contract Information [or Controlled Unclassified Information] before disposal or release for reuse.|
|[a] system media containing FCI [or CUI] is sanitized or destroyed before disposal; and|
|[b] system media containing FCI [or CUI] is sanitized before it is released for reuse.|
source: CMMC ML-1 Assessment Guide
This practice is very straightforward and should be an easy win for most organizations.
The practice describes “media” and “sanitization.” These are both terms of art in the CMMC literature and related guidance, so let’s review each of them.
“Media” includes a wide array of items that can store information. These can include laptops, servers, hard drives (internal or external), thumb drives, CDs, DVDs, Blu-ray discs, USB drives, tape backup, mobile phones, paper documents, and more.
“Sanitization” is the process ensuring that the data that was written to the media cannot be recovered. There are many ways to accomplish the task, such as shredding, wiping, and physical destruction. Unfortunately, simply selecting the files and pressing the delete button is not enough. So, what is enough? The CMMC Assessment Guide does not dive into the details, but it does refer readers to an additional 64 pages of guidance, courtesy of the National Institute of Standards and Technology (NIST). Specifically, NIST Special Publication (SP) 800-88, Guidelines for Media Sanitization. The guidance provides recommendations for sanitizing different types of media, e.g., paper, external hard drives, iPhones, and even Blackberries. We recommend examining NIST SP 800-88 for guidance that relates to the type of media your organization uses.
An organization may have a number of reasons to sanitize information system media.
|Business Event||Sanitization Method per NIST SP 800-88|
|An employee leaves and the organization wishes to reissue the computer to a new employee.||Overwrite media by overwriting all data, at least a single write pass with a fixed data value, such as all zeros.|
|An organization undergoes a hardware refresh and needs to dispose of old computers.||Incinerate, degauss, shred, or otherwise destroy the hard drive(s) in each computer.|
|Company employees print FCI/CUI and need to sanitize the information prior to disposal.||Shred with a crosscut shredder.|
The MP.L1-3.8.3 practice features two assessment objectives separate the practice requirement into media that an organization intends to dispose of [a] and media that the organization intends to reuse [b]. The key distinction between the two is that some methods used to sanitize equipment when being disposed, such as physical destruction, are not practical when equipment is being reissued. After all, if a laptop hard drive is incinerated, it will be difficult to reuse.
|Key to Success|
|Key to passing your assessment will be providing evidence to your assessors that proves you actually perform these functions. First, we recommend documenting a policy and procedure. The policy should clearly indicate the types of events within the organization require sanitization procedures to be applied, and it should identify the individuals responsible for carrying out the activities. The procedures should clearly describe what needs to be performed for each sanitization event and what logs would need to be retained to demonstrate that your organization consistently executes the related procedures.
For example, a common event is an employee quitting and returning their computer. As part of the exit process, an organization could complete a checklist in which an IT staff member verifies the date and method used to sanitize the computer before it is put into storage to await reissue.
MP.L1-3.8.3: Media Sanitization and Service Providers
Many companies use a third-party provider to dispose or recycle media including papers and computing equipment. This does not displace the compliance requirement. Organizations should be able to point to their statement of work (or other document) that describes the standards to which the service provider sanitizes media. Additionally, organizations should retain records indicating which pieces of equipment were taken and disposed.
MP.L1-3.8.3 is the only Media Protection practice required in CMMC Level 1, and thankfully, the requirements are not terribly technical and should be an easy win for most organizations. The key to meeting the requirements is to ensure that an organization sanitizes every type of media and that evidence is retained to demonstrate the process is being followed.
Interested in learning more about CMMC services for your defense contracts? Contact us. We are here to help.
DoD Contractor Considerations for CMMC Practice Guide IA.L1-3.5.2
About the Author
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.