CMMC Practice MA.3.115
Ensure equipment removed for off-site maintenance is sanitized of any CUI.
Bold Coast Security Guidance
For Level 1 compliance there must be a practice of removing CUI data from equipment that may be shipped or taken off-site for maintenance or repairs. For Level 2, there must be a policy requirement for sanitization, and for Level 3, there must be a clearly defined management plan for how to achieve the policy requirement.
It's important to remember that simply deleting data from a director/folder does not actually remove it from a storage device. What it removes is the pointer-record in the operating system, so that the specific sectors on that drive are ready to overwrite the deleted data. Sanitization requires a secure-wipe capability, which can be part of anti-malware software or software specifically designed to zero-out data to permanently remove it.
DRAFT NIST SP 800-171 R2
This requirement addresses the information security aspects of system maintenance that are performed off -site and applies to all types of maintenance to any system component (including applications) conducted by a local or non-local entity (e.g., in- contract, warranty, in-house, software maintenance agreement).