NIST 800-171 • LEVEL 2 • MEDIA PROTECTION
3.8.3 — Media Sanitization
Media sanitization applies to digital and non-digital media that are subject to disposal or reuse, whether or not the media are considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, mobile devices, workstations, network components, and non-digital media. The sanitization process removes CUI from media such that the information cannot be retrieved or reconstructed. Sanitization techniques (e.g., cryptographically erasing, clearing, purging, and destroying) prevent the disclosure of CUI to unauthorized individuals when such media are reused or released for disposal. NARA policies control the sanitization process for media that contain CUI and may require destruction when other methods cannot be applied to the media.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- system media that contain CUI are sanitized prior to disposal, release out of organizational control, or release for reuse.
Practitioner Notes
When you are done with media — or reusing it for a different purpose — you need to sanitize it so the CUI cannot be recovered. This applies to everything from hard drives to printed paper to the internal drives in your copiers.
Example 1: For hard drives and SSDs being decommissioned, use a NIST 800-88 compliant method. For magnetic drives, use a tool like Blancco or DBAN to perform a full overwrite. For SSDs, use the manufacturer’s secure erase command (e.g., Samsung Magician’s "Secure Erase" or Intel SSD Toolbox). Document each sanitization with the media serial number, method used, date, and technician name.
Example 2: For paper documents containing CUI, use a cross-cut shredder that meets DIN 66399 Level P-4 or higher. If you use a shredding service, get a Certificate of Destruction for each pickup and keep it on file. Do not just toss CUI paper into a standard recycling bin.