Maintenance 3.7.3 (3.7.3)

Do you ever send computers, hard drives, or other equipment off-site for repair or maintenance?

What types of equipment in your environment process or store CUI that might need external repair?

What sanitization methods are acceptable under NIST SP 800-88 for different types of storage media?

NIST SP 800-88 defines three sanitization methods: Clear (logical techniques to sanitize data in user-addressable storage), Purge (physical or logical techniques that render data recovery infeasible using state-of-the-art laboratory techniques), and Destroy (physical destruction of media). For CUI, Purge or Destroy methods are typically required. Acceptable methods vary by media type: HDDs can be overwritten or degaussed, SSDs require cryptographic erase or physical destruction due to wear-leveling, and mobile devices should use built-in secure erase features or be physically destroyed.

What should we do if a hard drive fails completely and cannot be sanitized before warranty return?

If equipment cannot be sanitized due to failure, you have three options: physically destroy the equipment on-site and forfeit warranty coverage, negotiate advance replacement with the vendor so you receive a new drive before returning the failed one (which you then destroy), or work with the vendor to perform witnessed destruction at their facility with a certificate of destruction. The safest approach is on-site destruction, accepting the financial loss to eliminate CUI exposure risk.

Do we need to sanitize printers and copiers before sending them for repair?

Yes, modern printers and multifunction devices often have internal hard drives or memory that store copies of documents, scan images, print jobs, and configuration data that may include CUI. Before sending these devices off-site for maintenance, you must sanitize the internal storage using manufacturer-provided tools or procedures, or arrange for on-site repair. Check your device documentation to identify storage components and sanitization procedures.

How do we handle emergency situations where equipment needs immediate off-site repair?

Emergency situations do not exempt you from sanitization requirements. You should establish advance replacement agreements with vendors for critical systems, maintain spare equipment to swap out failed components, or have pre-approved destruction procedures for emergency situations. If equipment must be sent out urgently, document the risk decision, implement compensating controls such as vendor NDAs and secure shipping, and report it as an exception requiring management approval and potential POA&M.

Are there any situations where we can send equipment off-site without sanitization?

Equipment can be sent off-site without sanitization only if it has never processed, stored, or transmitted CUI at any point in its lifecycle, or if the vendor performs sanitization on-site under your direct oversight before removing the equipment. You must be able to definitively prove the equipment never contained CUI through inventory records, system documentation, or technical controls. When in doubt, sanitize.

What records do we need to maintain to demonstrate compliance with this control?

You should maintain sanitization logs including equipment identifier/serial number, date of sanitization, method used, personnel who performed it, verification results, and management approval. Also maintain your sanitization procedures, training records, vendor contracts addressing sanitization, and any destruction certificates. These records should be retained according to your record retention policy and be readily available for assessment.