home || catalog: SP800-53rev3 / class: Operational / family: (MP) Media Protection ||
search controls:
search nistpubs:

AC
AT
AU
CA
CM
CP
IA
IR
MA
MP

MP-01
MP-02
MP-03
MP-04
MP-05
MP-06 *

PE
PL
PM
PS
RA
SA
SC
SI
MMMMM

  MP-06: Media Sanitization  

base control objective:
The organization sanitizes information system media, both digital and non-digital, prior to disposal, release out of organizational control, or release for reuse.

supplemental objective information:
This control applies to all media subject to disposal or reuse, whether or not considered removable. Sanitization is the process used to remove information from information system media such that there is reasonable assurance that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, and destroying media information, prevent the disclosure of organizational information to unauthorized individuals when such media is reused or disposed of. The organization employs sanitization mechanisms with strength and integrity commensurate with the classification or sensitivity of the information. The organization uses its discretion on the employment of sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on the organization or individuals if released for reuse or disposed.

enhancements to the base objective:

(1) The organization tracks, documents, and verifies media sanitization and disposal actions.

(2) The organization tests sanitization equipment and procedures to verify correct performance [Assignment: organization-defined frequency].

(3) The organization sanitizes portable, removable storage devices prior to connecting such devices to the information system under the following circumstances: [Assignment: organization-defined list of circumstances requiring sanitization of portable, removable storage devices].
Enhancement Supplemental Guidance: Portable, removable storage devices (e.g., thumb drives, flash drives, external storage devices) can be the source of malicious code insertions into organizational information systems. Many of these devices are obtained from unknown sources and may contain various types of malicious code that can be readily transferred to the information system through USB ports or other entry portals. While scanning such devices is always recommended, sanitization provides additional assurance that the device is free of all malicious code to include code capable of initiating zero-day attacks. Organizations consider sanitization of portable, removable storage devices, for example, when such devices are first purchased from the manufacturer or vendor prior to initial use or when the organization loses a positive chain of custody for the device. An organizational assessment of risk guides the specific circumstances for employing the sanitization process.

(4) Information system media containing Controlled Unclassified Information (CUI) are sanitized in accordance with applicable organizational/federal standards and policies.

(5) Information system media containing classified, collateral, national security information are sanitized in accordance with applicable organizational/federal standards and policies.

(6) Information system media containing Sensitive Compartmented Information (SCI) are sanitized in accordance with NSA standards and policies.

(7) The organization destroys information system media that cannot be sanitized.

mapping to FIPS199 baseline:

  LOW: base     MOD: base     HIGH: base (1) (2) (3)  

related (regimented) controls:

None.

documents referenced in SP800-53rev3 for MP-06:

Document Date Status Title
NIST SP800-24 August, 2000 current   PBX Vulnerability Analysis: Finding Holes in Your PBX Before Someone Else Does
NIST SP800-36 October, 2003 current   Guide to Selecting Information Technology Security Products
NIST SP800-66 October, 2008 current   An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule
NIST SP800-88 September, 2006 current   Guidelines for Media Sanitization
NIST SP800-98 September, 2006 DRAFT   Guidelines for Securing Radio Frequency Identification (RFID) Systems

Search SP800-53rev3 catalog: