NIST 800-53 REV 5 • SUPPLY CHAIN RISK MANAGEMENT
SR-12 — Component Disposal
Dispose of {{ insert: param, sr-12_odp.01 }} using the following techniques and methods: {{ insert: param, sr-12_odp.02 }}.
CMMC Practice Mapping
No direct CMMC mapping
NIST 800-171 Mapping
No direct NIST 800-171 mapping
Related Controls
Supplemental Guidance
Data, documentation, tools, or system components can be disposed of at any time during the system development life cycle (not only in the disposal or retirement phase of the life cycle). For example, disposal can occur during research and development, design, prototyping, or operations/maintenance and include methods such as disk cleaning, removal of cryptographic keys, partial reuse of components. Opportunities for compromise during disposal affect physical and logical data, including system documentation in paper-based or digital files; shipping and delivery documentation; memory sticks with software code; or complete routers or servers that include permanent media, which contain sensitive or proprietary information. Additionally, proper disposal of system components helps to prevent such components from entering the gray market.
Practitioner Notes
Dispose of system components properly to prevent sensitive data from leaving your control and to prevent counterfeit components from being re-introduced into the supply chain.
Example 1: Follow NIST SP 800-88 media sanitization guidelines before disposing of any equipment. For hard drives, use cryptographic erase (for SSDs) or degaussing (for HDDs). For equipment that cannot be sanitized, physically destroy it. Document all disposal with a certificate of destruction.
Example 2: Use a certified electronics recycler (e-Stewards or R2 certified) for equipment disposal. Require the recycler to provide a certificate of destruction with serial numbers of all destroyed items. Do not donate or sell equipment that contained sensitive data without proper sanitization — and never sell equipment that has been marked for destruction.