NIST 800-53 REV 5 • MEDIA PROTECTION

MP-7(2)Prohibit Use of Sanitization-resistant Media

Prohibit the use of sanitization-resistant media in organizational systems.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Sanitization resistance refers to how resistant media are to non-destructive sanitization techniques with respect to the capability to purge information from media. Certain types of media do not support sanitization commands, or if supported, the interfaces are not supported in a standardized way across these devices. Sanitization-resistant media includes compact flash, embedded flash on boards and devices, solid state drives, and USB removable media.

Practitioner Notes

Some media types cannot be effectively sanitized due to their physical design — for example, certain types of flash memory, optical media, or devices with embedded storage. These should not be used on systems handling sensitive data.

Example 1: Maintain a list of prohibited media types in your media protection policy. Include CD-Rs (cannot be erased), certain IoT devices with embedded non-removable storage, and any storage device that does not support verified sanitization. Train staff on these restrictions.

Example 2: Configure your device control policies (via Intune, GPO, or endpoint protection tools) to block device classes that cannot be sanitized. Block generic mass storage devices and only allow specific hardware-encrypted, remotely wipeable devices that support verified sanitization.

More Media Protection Controls

MP-1 Policy and Procedures MP-2 Media Access MP-2(1) Automated Restricted Access MP-2(2) Cryptographic Protection