CMMC Practice MA.3.115

Ensure equipment removed for off-site maintenance is sanitized of any CUI.


CMMC Version 1.02, pg. 170

Bold Coast Security Guidance

For Level 1 compliance there must be a practice of removing CUI data from equipment that may be shipped or taken off-site for maintenance or repairs. For Level 2, there must be a policy requirement for sanitization, and for Level 3, there must be a clearly defined management plan for how to achieve the policy requirement. It's important to remember that simply deleting data from a director/folder does not actually remove it from a storage device. What it removes is the pointer-record in the operating system, so that the specific sectors on that drive are ready to overwrite the deleted data. Sanitization requires a secure-wipe capability, which can be part of anti-malware software or software specifically designed to zero-out data to permanently remove it.

Discussion From Source

DRAFT NIST SP 800-171 R2 This requirement addresses the information security aspects of system maintenance that are performed off -site and applies to all types of maintenance to any system component (including applications) conducted by a local or non-local entity (e.g., in- contract, warranty, in-house, software maintenance agreement).