This requirement applies to all system media, digital and non-digital, subject to disposal or reuse. Examples include: digital media found in workstations, network components, scanners, copiers, printers, notebook computers, and mobile devices; and non-digital media such as paper and microfilm. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is released for reuse or disposal.  Organizations determine the appropriate sanitization methods, recognizing that destruction may be necessary when other methods cannot be applied to the media requiring sanitization. Organizations use discretion on the employment of sanitization techniques and procedures for media containing information that is in the public domain or publicly releasable or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing CUI from documents, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing the words or sections from the document. NARA policy and guidance control sanitization processes for controlled unclassified information.  [SP 800-88] provides guidance on media sanitization. 

Priority: High   

Category: Asset Management 

Services Associated with AWS:   


Objective Evidence:   

  • Administrative: documented policies, standards & procedures
  • Administrative: supporting documentation of sanitization/destruction practices
  • Administrative: supporting documentation to demonstrate how Identity & Access Management (IAM) practices are implemented
  • Technical: screenshot of sanitization technology, if applicable 

Possible Technology Considerations : 

  • IT Asset Management (ITAM)
  • Data Destruction Solution 

What needs to be answered :  

Is all managed data storage erased, encrypted, or destroyed using mechanisms to ensure that no usable data is retrievable? Is system digital and non-digital media sanitized before disposal or release for reuse? Are all CUI data on media encrypted or physically locked prior to transport outside of the company’s secure locations? 

  • Sanitization of System Media Containing CUI
    Description: This check ensures that system media containing Controlled Unclassified Information (CUI) is properly sanitized or destroyed before disposal or release for reuse. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, are employed to remove or render the CUI on the media irretrievable or unreconstructable. The choice of sanitization method is determined by the organization, considering factors such as the sensitivity of the information and the type of media being sanitized. Non-digital media may undergo destruction, removal of CUI, or redaction of selected sections or words to ensure the protection of sensitive information.

More Details:  

All media containing CUI or sensitive information must be sanitized prior to release or disposal.