MA.L2-3.7.3 Equipment Sanitization
Ensure equipment removed for off-site maintenance is sanitized of any CUI.
Source: NIST SP 800-171 Rev 2 3.7.3
Discussion: This requirement addresses the information security aspects of system maintenance that are performed off-site and applies to all types of maintenance to any system component (including applications) conducted by a local or nonlocal entity (e.g., in-contract, warranty, in- house, software maintenance agreement). [SP 800-88] provides guidance on media sanitization.
Assessment Objectives:
Determine if:
- [a] equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.
Examine: [SELECT FROM: System maintenance policy; procedures addressing controlled system maintenance; maintenance records; manufacturer or vendor maintenance specifications; equipment sanitization records; media sanitization records; security plan; other relevant documents or records].
Interview: [SELECT FROM: Personnel with system maintenance responsibilities; personnel with information security responsibilities; personnel responsible for media sanitization; system or network administrators].
Test: [select from: Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for systems; organizational processes for sanitizing system components; mechanisms supporting or implementing controlled maintenance; mechanisms implementing sanitization of system components].
SPRS Score: 1
POA&M Allowed: Yes