MA.L2-3.7.3, drawn from NIST SP 800-171 Rev 2 security requirement 3.7.3, mandates that any equipment containing or potentially containing CUI must be sanitized of that information before it is physically removed from organizational spaces for off-site maintenance or repair. Sanitization means rendering CUI unrecoverable using approved methods — such as those defined in NIST SP 800-88 — rather than simply deleting files. The practice applies to all system components including workstations, laptops, servers, storage drives, printers, and network appliances that may retain CUI in volatile or non-volatile memory. If sanitization is not technically feasible without damaging the equipment's ability to be repaired, the organization must employ alternative controls such as escorted transport or removal of storage media prior to shipment. This requirement is specifically scoped to the off-site scenario, recognizing that once equipment leaves organizational physical controls, the organization can no longer guarantee confidentiality through physical access restrictions alone.
Where it stops · what it isn't
- —Does not govern on-site maintenance activities where equipment remains within the organization's physical security perimeter
- —Does not dictate the specific sanitization method or standard — that is addressed by media sanitization practices (MP.L2-3.8.3); this practice requires sanitization occurs, not how
- —Does not apply to equipment that demonstrably contains no CUI and has never been used to process, store, or transmit CUI
- —Does not address disposal or final destruction of equipment at end-of-life — that is covered by media sanitization and disposal practices
- —Does not replace the need for maintenance personnel vetting or authorization controls required under MA.L2-3.7.1 and MA.L2-3.7.2
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/maintenance