Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization reviews, approves, tracks, documents, and verifies media sanitization and disposal actions.
NIST 800-53 (r4) Supplemental Guidance:
Organizations review and approve media to be sanitized to ensure compliance with records-retention policies. Tracking/documenting actions include, for example, listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, specific files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken, personnel who performed the verification, and disposal action taken. Organizations verify that the sanitization of the media was effective prior to disposal. Related control: SI-12.
References: FIPS Publication 199; NIST Special Publications 800-60, 800-88; Web: http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml.
NIST 800-53 (r5) Discussion:
Organizations review and approve media to be sanitized to ensure compliance with records retention policies. Tracking and documenting actions include listing personnel who reviewed and approved sanitization and disposal actions, types of media sanitized, files stored on the media, sanitization methods used, date and time of the sanitization actions, personnel who performed the sanitization, verification actions taken and personnel who performed the verification, and the disposal actions taken. Organizations verify that the sanitization of the media was effective prior to disposal.
38North Guidance:
Meets Minimum Requirement:
Company maintains the tools and processes review, approve, track, document, and verify media sanitization and disposal actions
There are procedures for reviewing, approving, tracking, documenting, and verifying media sanitization and disposal actions
Procedures are consistently followed and artifacts are maintained
Best Practice:
TBD
Unofficial FedRAMP Guidance: None
Assessment Evidence:
If external services are used, contract between the CSP and the external service
Sample list or log of media that has been sanitized or disposed
Records of media sanitization and disposal actions demonstrating media sanitization and disposal actions are reviewed, approved, tracked, documented, and verified
CSP Implementation Tips:
Amazon Web Services (AWS): Fully Inherited
Microsoft Azure: Fully Inherited
Google Cloud Platform: Fully Inherited
Page updated
Report abuse