NIST 800-53 REV 5 • MEDIA PROTECTION
MP-6(3) — Nondestructive Techniques
Apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the system under the following circumstances: {{ insert: param, mp-06.03_odp }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
No related controls listed
Supplemental Guidance
Portable storage devices include external or removable hard disk drives (e.g., solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices.
Practitioner Notes
Before plugging a portable storage device into your system, sanitize it using nondestructive methods (like a full format or overwrite) to remove any potential threats. This prevents malware from jumping onto your network via removable media.
Example 1: Set up a standalone, air-gapped sanitization workstation where all incoming USB devices are scanned and wiped before use. Run a full antivirus scan followed by a secure format. Only after clearance can the device be used on production systems.
Example 2: Use an automated media sanitization kiosk (like OPSWAT MetaDefender Kiosk) that scans removable media with multiple antivirus engines and can perform data sanitization. Place the kiosk at your facility entrance so all incoming media goes through it before entering the network.