Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system under the following circumstances: [Assignment: organization-defined circumstances requiring sanitization of portable storage devices].
NIST 800-53 (r4) Supplemental Guidance:
This control enhancement applies to digital media containing classified information and Controlled Unclassified Information (CUI). Portable storage devices can be the source of malicious code insertions into organizational information systems. Many of these devices are obtained from unknown and potentially untrustworthy sources and may contain malicious code that can be readily transferred to information systems through USB ports or other entry portals. While scanning such storage devices is always recommended, sanitization provides additional assurance that the devices are free of malicious code to include code capable of initiating zero-day attacks. Organizations consider nondestructive sanitization of portable storage devices when such devices are first purchased from the manufacturer or vendor prior to initial use or when organizations lose a positive chain of custody for the devices. Related control: SI-3.
References: FIPS Publication 199; NIST Special Publications 800-60, 800-88; Web: http://www.nsa.gov/ia/mitigation_guidance/media_destruction_guidance/index.shtml.
NIST 800-53 (r5) Discussion:
Portable storage devices include external or removable hard disk drives (e.g., solid state, magnetic), optical discs, magnetic or optical tapes, flash memory devices, flash memory cards, and other external or removable disks. Portable storage devices can be obtained from untrustworthy sources and contain malicious code that can be inserted into or transferred to organizational systems through USB ports or other entry portals. While scanning storage devices is recommended, sanitization provides additional assurance that such devices are free of malicious code. Organizations consider nondestructive sanitization of portable storage devices when the devices are purchased from manufacturers or vendors prior to initial use or when organizations cannot maintain a positive chain of custody for the devices.
38North Guidance:
Meets Minimum Requirement:
The organization defines the circumstances under which non-destructive sanitization techniques can be used on portable storage devices prior to connecting the devices
The organization utilizes non-destructive wiping techniques, such as cluster formatting, on all approved portable storage devices before they are connected to the information systems, only under the defined circumstances
Best Practice:
TBD
Unofficial FedRAMP Guidance: None
Assessment Evidence:
List of circumstances under which sanitization of portable storage devices is allowed without destruction
If external services are used, contract between the CSP and the external service
Records demonstrating the company applies non-destructive sanitization techniques before connecting them to the information systems
CSP Implementation Tips:
Amazon Web Services (AWS): Fully Inherited; Furthermore, portable storage devices (e.g. external hard drives, floppy disks, storage tapes, compact discs, digital video discs, USB flash/thumb drives, and diskettes except for those that are part of an approved device, such as a flash card that is part of a networking router) are not permitted for use within the authorization boundary
Microsoft Azure: Fully Inherited
Google Cloud Platform: Fully Inherited
Page updated
Report abuse