This requirement addresses the information security aspects of system maintenance that are performed off-site and applies to all types of maintenance to any system component (including applications) conducted by a local or nonlocal entity (e.g., in-contract, warranty, in- house, software maintenance agreement).  [SP 800-88] provides guidance on media sanitization.

Priority: Medium

Category: Maintenance 

Services Associated with AWS:   


Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation to demonstrate how IT Asset Management (ITAM) is implemented
  • Administrative: supporting documentation to demonstrate change management practices reviewed/approved the maintenance request(s)
  • Administrative: supporting documentation of role-based security training being performed
  • Administrative: supporting documentation of professional competence by individual(s) performing maintenance roles
  • Technical: screenshot of Configuration Management Database (CMDB) ticket to approve the removal of assets
  • Technical: screenshot of sanitization technology being used 

Possible Technology Considerations : 

  • IT Asset Management (ITAM)
  • Data Destruction Solution 

What needs to be answered :  

Is there a company media sanitization policy? Are media that are removed from the premises for maintenance, repair, or disposal sanitized per the company’s media sanitization policies? 

  • Sanitization of Equipment Removed for Off-Site Maintenance
    Description: This check ensures that organizations have established procedures to sanitize equipment that is removed for off-site maintenance, to prevent the unauthorized disclosure of Controlled Unclassified Information (CUI). Sanitization involves removing or securely deleting all CUI and sensitive information from the equipment prior to its removal for maintenance.

More Details:  

No off-site maintenance conducted.