CCI-001032

The organization applies nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system in accordance with organization-defined circumstances requiring sanitization of portable storage devices.

Implementation Guidance

The organization being inspected/assessed documents and implements plans to apply nondestructive sanitization techniques to portable storage devices prior to connecting such devices to the information system when such devices are first purchased from the manufacturer or vendor prior to initial use, when being considered for reuse, or when the organization loses a positive chain of custody for the device. Media obtained from unknown sources shall not be sanitized and reused. Portable storage devices include but are not limited to thumb drives, flash drives, and external storage devices. DoD has defined the circumstances as when such devices are first purchased from the manufacturer or vendor prior to initial use, when being considered for reuse, or when the organization loses a positive chain of custody for the device. Media obtained from unknown sources shall not be sanitized and reused.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines media sanitization records, audit records, and any other relevant documents or records. The objective of the reviews is to confirm the organization is in compliance with the list of defined circumstances requiring the sanitization of portable storage devices prior to connecting such devices to the information system.

Compelling Evidence

1.) Audit trail showing verification of media disposal actions on portable storage devices 2.) System Security Plan (SSP) or TTP, if necessary, referencing sections which apply to verification and record of media disposal actions on portable storage devices

The controls below (if any) were marked by NIST as being related to CCI-001032.