NIST 800-53 REV 5 • MEDIA PROTECTION
MP-6(7) — Dual Authorization
Enforce dual authorization for the sanitization of {{ insert: param, mp-06.07_odp }}.
Supplemental Guidance
Organizations employ dual authorization to help ensure that system media sanitization cannot occur unless two technically qualified individuals conduct the designated task. Individuals who sanitize system media possess sufficient skills and expertise to determine if the proposed sanitization reflects applicable federal and organizational standards, policies, and procedures. Dual authorization also helps to ensure that sanitization occurs as intended, protecting against errors and false claims of having performed the sanitization actions. Dual authorization may also be known as two-person control. To reduce the risk of collusion, organizations consider rotating dual authorization duties to other individuals.
Practitioner Notes
Dual authorization means two people must be involved in the sanitization process — one to perform the sanitization and another to verify and authorize it. This prevents a single person from improperly handling sensitive media.
Example 1: Require two authorized employees to be present for all media sanitization of CUI or higher. One person performs the sanitization while the other observes and signs as witness on the sanitization record. Neither person can complete the process alone.
Example 2: In your ticketing system, create a media sanitization workflow that requires two separate approvals — the technician performing the work and a supervisor or security officer verifying completion. The ticket cannot be closed without both approvals recorded.