NIST 800-53 REV 5 • SYSTEM AND INFORMATION INTEGRITY

SI-12(3)Information Disposal

Use the following techniques to dispose of, destroy, or erase information following the retention period: {{ insert: param, si-12.3_prm_1 }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

No related controls listed

Supplemental Guidance

Organizations can minimize both security and privacy risks by disposing of information when it is no longer needed. The disposal or destruction of information applies to originals as well as copies and archived records, including system logs that may contain personally identifiable information.

Practitioner Notes

Dispose of information properly when it is no longer needed — do not just delete files or throw away equipment. Sensitive data must be destroyed beyond recovery.

Example 1: Use NIST SP 800-88 guidelines for media sanitization. For hard drives: use the "Purge" method (cryptographic erase for SSDs, overwrite patterns for HDDs) or physically destroy them. Maintain a log with serial numbers, destruction dates, and witness signatures.

Example 2: Configure M365 retention policies to automatically delete emails and documents after the retention period expires. For SharePoint, set site-level retention policies that automatically purge content from the recycle bin after the defined period.

More System and Information Integrity Controls

SI-1 Policy and Procedures SI-2 Flaw Remediation SI-2(1) Central Management SI-2(2) Automated Flaw Remediation Status