NIST 800-171 - Off-site Maintenance (3.7.3)

Overview:
Ensure equipment removed for off-site maintenance is sanitized of any CUI.

Action Items:
3.7.3[a]
Determine if: equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

1
Examine: System maintenance policy; procedures addressing controlled system maintenance; maintenance records; manufacturer or vendor maintenance specifications; equipment sanitization records; media sanitization records; system security plan; other relevant documents or records].

2
Interview: Personnel with system maintenance responsibilities; personnel with information security responsibilities; personnel responsible for media sanitization; system or network administrators].

3
Test: Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for systems; organizational processes for sanitizing system components; mechanisms supporting or implementing controlled maintenance; mechanisms implementing sanitization of system components].

Related Documents (document name and content will vary by organization):
1) System maintenance policy
2) procedures addressing controlled system maintenance
3) maintenance records
4) manufacturer or vendor maintenance specifications
5) equipment sanitization records
6) media sanitization records
7) system security plan
8) other relevant documents or records

Additional Guidance:
See discussion for 3.7.1. NIST Special Publication 800-88 provides guidance on media sanitization.