Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:
(a) Verifying that there is no organizational information contained on the equipment;
(b) Sanitizing or destroying the equipment;
(c) Retaining the equipment within the facility; or
(d) Obtaining an exemption from [FedRAMP Assignment: (M)(H) the information owner explicitly authorizing removal of the equipment from the facility] explicitly authorizing removal of the equipment from the facility.
NIST 800-53 (r4) Supplemental Guidance:
Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards.
References: NIST Special Publication 800-88.
NIST 800-53 (r5) Discussion:
Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards.
38North Guidance:
Meets Minimum Requirement:
There are procedures in place to check all equipment before it is removed, to verify that there is not any organizational information contained on it
There are procedures for sanitizing or destroying equipment before removal
There are procedures for retaining equipment within the facility, that either contains organizational information or can not be sanitized or destroyed
There are procedures for obtaining an exemption to the above, where the system owner is required to explicitly authorize the removal of equipment from the facility
There is evidence that shows that all of the procedures for verifying equipment, sanitizing equipment, retaining equipment, and obtaining an exemption have been consistently followed
Best Practice:
TBD
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Provide procedures for:
(a) Verifying that there is no organizational information contained on the equipment;
(b) Sanitizing or destroying the equipment;
(c) Retaining the equipment within the facility; or
(d) Obtaining an exemption from the information owner explicitly authorizing removal of the equipment from the facility
Artifacts/evidence to show that the procedures have been followed in the past, with relevant information:
Who performed the action
Date and Time stamps
Any testing that was performed to ensure verification or sanitization was successful
Explicit approvals from information owners authorizing removal, with specific equipment identified
After action activities (e.g. equipment was disposed, equipment was sent somewhere, receipts from hand-off of equipment to external entities, etc)
CSP Implementation Tips:
Amazon Web Services (AWS): Fully Inherited
Microsoft Azure: Fully Inherited
Google Cloud Platform: Fully Inherited
Page updated
Report abuse