MP.L1-B.1.VII
Media Disposal

FCI Data

Security Requirement

Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

USU Policy, Procedures, and Standards

University Policy 5200: Information Security and Appropriate Use

States that access controls must be implemented on all devices to ensure only authorized individuals can access university-owned or -managed data and resources. IT staff are accountable for preserving data integrity, enforcing security standards, and protecting university-owned assets. Contractors must follow the security protocols outlined in their agreements, including disposal or return of data.

Inventory Disposal

Surplus Policies

NIST Cybersecurity Framework v2

  • Protect (PR): PR.DS-03 - Data is destroyed according to policy when no longer required.
  • Protect (PR): PR.AA-04 - Data is disposed of securely to prevent unauthorized access.

Implementation Details

Documentation should include details to meet the Security Requirement for this control. Complete this list for each system or systems that process or access FCI data:

  • List your procedures for securely sanitizing or destroying digital media (e.g., hard drives, USBs, mobile devices) before disposal or reuse.
  • List your procedures for securely disposing of physical media (e.g., paper documents) that contain FCI.
  • List the tools or services used to carry out media sanitization or destruction.
  • List any additional review or oversight processes related to media sanitization.

Document How

  • system media containing FCI is sanitized or destroyed before disposal
  • system media containing FCI is sanitized before it is released for reuse

Example

quote block

All storage media used to process FCI is tracked through USU's asset management system. Prior to reuse or disposal, staff follow NIST 800-88 Rev. 1 guidelines for media sanitization. Digital media is either cryptographically erased or physically destroyed using a certified shredding device. Paper records are cross- shredded and disposed of through a secure document destruction service. Staff involved in the sanitization process receive annual training.

quote block

USU Surplus and Property Disposal Services

What it does:
  • Manages the decommissioning, sanitization, and proper disposal of university-owned equipment in accordance with institutional policies and NIST 800-88 Rev. 1 guidelines.
How it helps a researcher:
  • Ensures secure disposal of outdated or decommissioned systems and storage devices used in FCI-related projects, preventing unauthorized access to sensitive research data.
Example:
  • A lab completes a federal research project and submits laptops for disposal. IT staff sanitize the drives, and the surplus team logs the disposal. Any un-wipeable media is physically destroyed using certified methods.

Secure Document Shredding

What it does:
  • Provides secure disposal of physical media containing sensitive or restricted information using cross-cut shredders or vetted third-party providers.
How it helps a researcher:
  • Enables secure disposal of paper records, printed data sets, or reports containing FCI, ensuring compliance with data protection policies and minimizing disclosure risks.
Example:
  • At project closeout, a PI deposits printed notes and reports into a locked shredding bin. The contents are destroyed by an authorized vendor, and the PI retains documentation for compliance.

Endpoint Management Tools (e.g., Intune, Jamf)

What it does:
  • Allows USU IT to remotely configure, secure, and manage university-owned endpoints, enforce security policies, deploy updates, and maintain compliance reporting.
How it helps a researcher:
  • Ensures research devices are secured and compliant with institutional requirements, automating tasks like patching, antivirus enforcement, and encryption.
Example:
  • A macOS laptop in a research lab is managed through Jamf, receives updates, enforces FileVault encryption, and restricts unapproved software. Non-compliant devices are flagged and restricted from accessing sensitive systems.

USU Services that could be leveraged to meet control requirements include*:

*List of services may not be complete or applicable for a given configuration. The use of a given service does not necessarily satisfy control requirements or may require specific configuration to meet control requirements. Documentation should include how the service is implemented to meet the control requirements.
Back to content

How might an auditor assess this control?

Method

  • Examine:
    • Review sanitization procedures, disposal logs, training records, and physical or digital media handling policies.
  • Interview:
    • Ask staff how they determine which media needs to be sanitized and how sanitization is performed.
  • Test:
    • Attempt to trace a sample storage device or document through the sanitization/disposal process.

Objects (examples of items you could present to the auditor)

  • Media Sanitization Policy: Describes procedures and approved methods for destroying sensitive media.
  • Asset Disposal Records: Showing dates, devices, and sanitization method used.
  • Staff Training Logs: Verification that responsible personnel are trained.
  • Shredder Certification: Specifications for any devices used to destroy physical media.
  • Vendor Agreements: If third-party destruction services are used.
  • NIST 800-88 Rev. 1 Reference Documentation: To show alignment with federal standards.