Applicable

(Y)es / (N)o

(C)onfidentiality

(I)ntegrity

(A)vailability

RPN

(C+I+A)

(S)atisfactory

L1

M2

H3

L1

M2

H3

L1

M2

H3

(O)ther than satisfactory +##

mp-6

media sanitization

assessment objective:

Determine if the organization:

mp-6(a)

mp-6(a)[1]

defines information system media to be sanitized prior to:

mp-6(a)[1][a]

disposal;

mp-6(a)[1][b]

release out of organizational control; or

mp-6(a)[1][c]

release for reuse;

mp-6(a)[2]

defines sanitization techniques or procedures to be used for sanitizing organization-defined information system media prior to:

mp-6(a)[2][a]

disposal;

mp-6(a)[2][b]

release out of organizational control; or

mp-6(a)[2][c]

release for reuse;

mp-6(a)[3]

sanitizes organization-defined information system media prior to disposal, release out of organizational control, or release for reuse using organization-defined sanitization techniques or procedures in accordance with applicable federal and organizational standards and policies; and

mp-6(b)

employs sanitization mechanisms with strength and integrity commensurate with the security category or classification of the information.

potential assessment methods and objects:

Examine: [select from: Information system media protection policy; procedures addressing media sanitization and disposal; applicable federal standards and policies addressing media sanitization; media sanitization records; audit records; information system design documentation; information system configuration settings and associated documentation; other relevant documents or records].

Interview: [select from: Organizational personnel with media sanitization responsibilities; organizational personnel with information security responsibilities; system/network administrators].

Test: [select from: Organizational processes for media sanitization; automated mechanisms supporting and/or implementing media sanitization].