CMMC Practice MA.L2-3.7.3

Ensure equipment removed for off-site maintenance is sanitized of any CUI.

Bold Coast Security Guidance

There must be a practice of removing CUI data from equipment that may be shipped or taken off-site for maintenance or repairs. There must also be a policy requirement for sanitization. It's important to remember that simply deleting data from a director/folder does not actually remove it from a storage device. What it removes is the pointer-record in the operating system, so that the specific sectors on that drive are ready to overwrite the deleted data. Sanitization requires a secure-wipe capability, which can be part of anti-malware software or software specifically designed to zero-out data to permanently remove it.

Discussion From Source

DRAFT NIST SP 800-171 R2 This requirement addresses the information security aspects of system maintenance that are performed off -site and applies to all types of maintenance to any system component (including applications) conducted by a local or non-local entity (e.g., in- contract, warranty, in-house, software maintenance agreement).