MP-6

MP-6 MEDIA SANITIZATION

Overview

Number	Title	Impact	Priority	Subject Area
MP-6	Media Sanitization	LOW	P1	Media Protection

Instructions
The organization: MP-6a. Sanitizes Assignment: organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using Assignment: organization-defined sanitization techniques and procedures in accordance with applicable federal and organizational standards and policies; and MP-6b. Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

Instructions

The organization:

MP-6a.

Sanitizes Assignment: organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using Assignment: organization-defined sanitization techniques and procedures in accordance with applicable federal and organizational standards and policies; and

MP-6b.

Employs sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

Guidance
This control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information.

Guidance

This control applies to all information system media, both digital and non-digital, subject to disposal or reuse, whether or not the media is considered removable. Examples include media found in scanners, copiers, printers, notebook computers, workstations, network components, and mobile devices. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization. Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable, or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes, for example, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media containing classified information.

Enhancements

MP-6 (1) Review / Approve / Track / Document / Verify

HIGH

Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking/documenting actions include, for example, listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, specific files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken, personnel who performed the verification, and disposal action taken. Organizations verify that the sanitization of the media was effective prior to disposal.

The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions.

MP-6 (2) Equipment Testing

HIGH

Testing of sanitization equipment and procedures may be conducted by qualified and authorized external entities (e.g., other federal agencies or external service providers).

The organization tests sanitization equipment and procedures Assignment: organization-defined frequency to verify that the intended sanitization is being achieved.

MP-6 (3) Nondestructive Techniques

HIGH

This control enhancement applies to digital media containing classified information and Controlled Unclassified Information (CUI). Portable storage devices can be the source of malicious code insertions into organizational information systems. Many of these devices are obtained from unknown and potentially untrustworthy sources and may contain malicious code that can be readily transferred to information systems through USB ports or other entry portals. While scanning such storage devices is always recommended, sanitization provides additional assurance that the devices are free of malicious code to include code capable of initiating zero-day attacks. Organizations consider nondestructive sanitization of portable storage devices when such devices are first purchased from the manufacturer or vendor prior to initial use or when organizations lose a positive chain of custody for the devices.

The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: Assignment: organization-defined circumstances requiring sanitization of portable storage devices.

MP-6 (4) Controlled Unclassified Information

Withdrawn: Incorporated into MP-6.

MP-6 (5) Classified Information

Withdrawn: Incorporated into MP-6.

MP-6 (6) Media Destruction

Withdrawn: Incorporated into MP-6.

MP-6 (7) Dual Authorization

Organizations employ dual authorization to ensure that information system media sanitization cannot occur unless two technically qualified individuals conduct the task. Individuals sanitizing information system media possess sufficient skills/expertise to determine if the proposed sanitization reflects applicable federal/organizational standards, policies, and procedures. Dual authorization also helps to ensure that sanitization occurs as intended, both protecting against errors and false claims of having performed the sanitization actions. Dual authorization may also be known as two-person control.

The organization enforces dual authorization for the sanitization of Assignment: organization-defined information system media.

MP-6 (8) Remote Purging / Wiping Of Information

This control enhancement protects data/information on organizational information systems, system components, or devices (e.g., mobile devices) if such systems, components, or devices are obtained by unauthorized individuals. Remote purge/wipe commands require strong authentication to mitigate the risk of unauthorized individuals purging/wiping the system/component/device. The purge/wipe function can be implemented in a variety of ways including, for example, by overwriting data/information multiple times or by destroying the key necessary to decrypt encrypted data.

The organization provides the capability to purge/wipe information from Assignment: organization-defined information systems, system components, or devices either remotely or under the following conditions: Assignment: organization-defined conditions.