NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-14(2)Non-persistent Information

{{ insert: param, si-14.02_odp.01 }} ; and Delete information when no longer needed.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Retaining information longer than is needed makes the information a potential target for advanced adversaries searching for high value assets to compromise through unauthorized disclosure, unauthorized modification, or exfiltration. For system-related information, unnecessary retention provides advanced adversaries information that can assist in their reconnaissance and lateral movement through the system.

Practitioner Notes

Ensure that non-persistent systems do not retain sensitive information after sessions end — no residual data left behind.

Example 1: Configure non-persistent VDI desktops to redirect all user data to network storage. When the desktop is destroyed, no user data remains on the VDI infrastructure. Verify this by checking for residual data after session termination.

Example 2: For web applications using session storage, configure sessions to be completely purged from the server when they expire or when the user logs out. Use in-memory session storage rather than persistent disk-based storage for sensitive session data.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status