Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - MA.L2-3.7.3 – Ensure equipment removed for off-site maintenance is sanitized of any “Controlled Unclassified Information” (CUI).
Understanding the Requirement
This control requires that any equipment you send off-site for maintenance — laptops, desktops, removable drives or other storage media — is cleared of Controlled Unclassified Information before leaving your control. As an objective, it specifically demands that equipment removed from organizational spaces for off-site maintenance be sanitized of any CUI. Under NIST SP 800-171 REV.2 / CMMC 2.0 Level 2, the focus is preventing data exposure when devices are beyond your physical and administrative protections.
Technical Implementation
-
Establish a written policy and workflow: Define which devices may go off-site for maintenance, who approves the request, and what sanitization steps are mandatory (remove drive, secure wipe, or verified destruction). Assign responsibilities to specific roles (information security lead, system/network administrator, and the staff member requesting maintenance).
-
Prefer hardware removal when practical: If maintenance does not require the original storage, remove the hard drive or SSD and retain it internally. Tag the removed media, log it in inventory, and record chain-of-custody details (who removed it, date, storage location).
-
When removal is not feasible, perform a verified secure wipe: Use an approved sanitization method before sending the device. For compliance with this control, use the DoD 5220.22‑M (three-pass overwrite) or an equivalent certified sanitization tool. Document the tool, method, and verification steps used for each device.
-
Maintain backups and validate restores: Before sanitization, take a full backup of the device (if data retention is required). Store backups encrypted and offline where possible. After maintenance and return of the device (or after replacement), validate data restore procedures with test restores to ensure business continuity and integrity.
-
Vendor agreements and proof of process: Require maintenance vendors to accept contracts specifying they will not access or store CUI and that they will return proof of sanitization if they perform it. If a vendor will perform data handling, require documented procedures and evidence (sanitization logs, certificate of destruction) before reintroducing equipment into your environment.
-
Verification, logging and incident readiness: Maintain a log for all off-site maintenance events capturing device identifiers, serial numbers, who approved the transfer, sanitization method used, and post-maintenance verification results. Train staff on incident reporting if unexpected data exposure is suspected during or after maintenance.
Example in a Small or Medium Business
Your help desk receives a ticket: an employee’s laptop is failing and the manufacturer has requested the device be shipped for board-level repair. The help desk tech follows the company off-site maintenance policy: they create a maintenance approval, back up the user’s data to the secure company backup system, and document the device serial number and owner. The tech removes the SSD from the laptop and keeps it in secured evidence storage; the machine, now without its drive, is packaged and shipped. The SSD is retained internally pending the user’s approval to restore from backup after repair or to provision a replacement drive. When the laptop returns, IT installs a freshly wiped and formatted drive, restores the user’s data from the encrypted backup, and records the full chain-of-custody and sanitization steps in the maintenance log. If the vendor had insisted on repairing the original drive, the company would have required the vendor to provide a certificate of sanitization or destruction before the drive could be reintroduced into the network. Staff involved in the process — the help desk tech, system administrator, and the information security lead — sign off on completion and confirm the device is free of CUI before returning it to the user.
Summary
By combining a clear policy, role assignments, physical removal when possible, documented and verifiable sanitization (e.g., DoD 5220.22‑M), vendor contractual controls, and logging/verification, an SMB can reliably ensure equipment sent off-site is sanitized of CUI. These practical steps reduce risk of uncontrolled exposure and provide the audit trail and evidence needed to demonstrate compliance with the control.
