GRCWatch
Sign inStart free trial

NIST SP 800-171 Control 3.7.3: Equipment Sanitization

Equipment maintenance poses a critical risk to controlled unclassified information (CUI). Control 3.7.3 requires your organization to sanitize all equipment before removal for service, ensuring no CUI data persists on devices that leave your facility. This foundational media protection measure is essential for organizations handling federal contracts or sensitive data.

What this means

Equipment sanitization means securely removing or destroying all CUI from devices before they're sent off-site for repair, upgrade, or disposal. This includes hard drives, memory modules, USB devices, and any storage media that may contain sensitive data. Your sanitization must follow industry-accepted standards such as NIST SP 800-88 (Guidelines for Media Sanitization) and align with the classification level and sensitivity of the information previously stored on the equipment.

How to comply

  1. 1.Inventory all equipment that processes, stores, or transmits CUI and assign sanitization responsibility owners
  2. 2.Select and document approved sanitization methods (clearing, purging, or destruction) based on device type and CUI classification
  3. 3.Implement sanitization procedures before equipment leaves your facility for maintenance or repair
  4. 4.Require maintenance vendors to certify receipt of sanitized equipment and prohibit data recovery attempts
  5. 5.Maintain audit logs and certificates of sanitization for all affected equipment
  6. 6.Test sanitization effectiveness periodically using data recovery tools to verify CUI is unrecoverable
  7. 7.Train staff on sanitization procedures and the risks of non-compliance

Evidence auditors look for

  • Equipment sanitization policy and procedures document
  • Inventory list of CUI-processing equipment with sanitization methods assigned
  • Sanitization work orders and completion certificates with dates and technician signatures
  • Vendor agreements requiring certified receipt of sanitized equipment
  • Test results from data recovery verification of sanitized devices
  • Maintenance logs showing pre-removal sanitization checkpoints
  • Staff training records on equipment sanitization requirements
  • Disposal certificates for destroyed equipment

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates equipment inventory tracking and sanitization workflow management, sending alerts before maintenance is scheduled and capturing vendor certifications in a centralized audit log—eliminating manual spreadsheets and compliance blind spots.

See how GRCWatch handles this control automatically

Start free trial

Related controls

3.7.1 Information System Media Protection3.7.2 Media Access3.8.3 Information Disposal3.4.7 Wireless Access Control3.2.1 Information Security Policies