CMMC 1.0 Practice MP.1.118 Requirement:
Sanitize or destroy information system media containing Federal Contract Information or controlled unclassified information before disposal or release for reuse.
CMMC 1.0 MP.1.118 Requirement Explanation:
This requirement seeks to ensure that “Federal Contract Information” (FCI) and “Controlled Unclassified Information” (CUI) is not recoverable by unauthorized persons after disposal. Adversaries can recover information digital and non-digital media if no properly disposed. Digital media includes hard drives, thumb drives, floppy disks, backup tapes etc. Non-digital media refers to paperwork. Digital media that will be thrown away needs to be shredded. If it is going to reused in your organization then it needs to be wiped using the DoD 5220.22-M data wipe method.
Example CMMC 1.0 MP.1.118 Implementation:
Before you dispose of (e.g. throw in the trash) any digital storage devices such as a hard drive from a computer or a USB thumb drive you need to ensure that none of the data on it is recoverable. Accomplished this by physically destroying the device (shearing or crushing it) or by using software to remove all of the data. The software you use should remove the data using the DoD 5220.22-M data wipe method. An example of software that can do this is DBAN. Properly dispose of paper containing “Federal Contract Information” (FCI) or “Controlled Unclassified Information” (CUI) by shredding it. Use a cross-cut shredder that produces 1 mm x 5 mm particles or smaller.
CMMC 1.0 MP.1.118 Scenario(s):
- Scenario 1:
Alice, a system administrator needs to dispose of old laptop hard drives containing federal contract information and controlled unclassified information. Instead of simply deleting the files on the laptop and reinstalling the operating system to clear the data on the drives she takes the hard drives to a local hard drive destruction service and has them crushed. Alice receives a receipt from the service verifying that the devices have been crushed. She stores the receipt in her company records.
- Scenario 2:
Alice needs to dispose of old laptop hard drives that previously stored “Federal Contract Information” (FCI) and “Controlled Unclassified Information” (CUI) . She takes the hard drives to a local hard drive destruction service and has them crushed. Alice gets a receipt from the service verifying that the devices have were crushed. She stores the receipt in her company records.
- Scenario 3:
Chris has a pile of paperwork containing “Federal Contract Information” (FCI) and “Controlled Unclassified Information” (CUI). Instead of using a regular shredder he uses the special shredder his company purchased to destroy “Controlled Unclassified Information” (CUI).
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you