MA.3.115

Control Acronym

MA

Family

Maintenance

CMMC Level

3

800-171 Control #

3.7.3

CMMC Description

Ensure equipment removed for off-site maintenance is sanitized of any CUI.

CMMC Clarification

Sanitization is a process that makes access to data infeasible on media such as a hard drive. The process may overwrite the entire media with a fixed pattern such as binary zeros. In addition to clearing the data an organization could purge (e.g., degaussing, secure erasing, or disassembling) the data, or even destroy the media (e.g., incinerating, shredding, or pulverizing). By performing one of these activities the data is extremely hard to recover, thus ensuring its confidentiality. If additional guidance on which specific santization actions should be taken on any specific type of media, consider reviewing the description of the Purge actions given in NIST SP 80088 Revision 1 - Guidelines for Media Sanitization. Example You manage the IT equipment that is used for your organization. A recent Department of Defense (DoD) project has been using a storage array for DoD Controlled Unclassified Information (CUI). Recently the array has experienced disk issues. After troubleshooting with the vendor they recommend several drives be replaced in the array. Knowing the drives may have CUI information you plan to run software on the drives using software that performs a wipe pattern that removes any data and device protection across the entire drive. Once all the drives have been wiped you document the action and ship the faulty drives to the vendor.

800-171 Description

Ensure equipment removed for off-site maintenance is sanitized of any CUI.

800-171 Discussion

This requirement addresses the information security aspects of system maintenance that are performed off-site and applies to all types of maintenance to any system component (including applications) conducted by a local or nonlocal entity (e.g., in-contract, warranty, in- house, software maintenance agreement). [SP 800-88] provides guidance on media sanitization.

Other Source Discussion

N/A

CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 MA-2

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.7.3

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

CERT RMM v1.2 TM:SG5.SP2

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference

Assessment Sub-Criteria 1

MA.3.115.[a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15