Navigate

AC-4(25)

AC-4(25): Data Sanitization

When transferring information between different security domains, sanitize data to minimize [one or more of "delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography-encoded data"/"spillage of sensitive information"] in accordance with [policy for sanitizing data is defined;].

Supplemental

Data sanitization is the process of irreversibly removing or destroying data stored on a memory device (e.g., hard drives, flash memory/solid state drives, mobile devices, CDs, and DVDs) or in hard copy form.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
CDS - Multilevel, CDS - Transfer

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to AC-4(25).

Control	Description
MP-6	a: Sanitize [one of ] prior to disposal, release out of organizational control, or release for reuse using [one of ] ; and b: Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

Enhancements

The controls below (if any) add on to the requirements of AC-4(25).

Control	Description
No controls

Related CCIs

The CCIs below are tied to AC-4(25).

CCI	Definition
CCI-003671	When transferring information between different security domains, sanitize data to minimize delivery of malicious content, command and control of malicious code, malicious code augmentation, and steganography encoded data; spillage of sensitive information in accordance with organization-defined policy.
CCI-003672	Defines the policy when transferring information between different security domains.