A brief article on how sanitizing paper media that contains CUI can be performed to meet NIST SP 800-171 / Cybersecurity Maturity Model Certification (CMMC) requirements.

Prior to COVID-19, Department of Defense (DoD) contractors and subcontractors disposed of their paper media containing CUI in secure “burn” barrels at their primary work site. An approved shredding service would arrive on regular intervals (i.e., weekly, biweekly, etc.) and would take the “burn” barrels for secure destruction.

With the rise of COVID-19, DoD contractors and subcontractors had to adopt a work-from-home model to continue to fulfill their contractual obligations. Contractors and subcontractors at times may have a legitimate business need to print CUI during the performance of their duties. This has presented new challenges in maintaining compliance with the security requirements laid out in NIST SP 800-171.

Guidance on Sanitizing Media

In 2019, the National Archives and Records Administration (NARA) issued guidance on destroying paper copies of CUI, but many DoD contractors are not familiar with NARA or the guidance. This article summarizes NARA’s guidance and provides practical approaches that help DoD contractors manage the destruction of paper-based CUI.

NIST SP 800-171 3.8.3 states, “Sanitize or destroy system media containing CUI before disposal or release for reuse.” This requirement applies to all media, digital and non-digital. 3.8.3 also mentions NIST SP 800-88, which provides guidance on media sanitization.

According to NIST SP 800-88, there are a few ways to securely destroy paper media.

Best methods for being in compliance

One such way to securely destroy paper is using a cross-cut shredder which produces particles that are 1mm x 5mm (0.04in x 0.2in) in size (or smaller), or pulverize/disintegrate paper materials using disintegrator devices equipped with a 3/32in. (2.4mm) security screen. NSA-approved shredders (which shred paper to the above-mentioned specifications) can be purchased from one of these vendors.

For organizations that do not have the resources to purchase appropriate sanitization equipment, other options may include a secure shredding service. The General Services Administration (GSA) has a list of GSA-approved shredding service organizations. These organizations will provide you with a certificate of destruction. This can be used as an artifact to demonstrate compliance to assessors.

As an alternative to shredding, paper and/or microforms (i.e., microfilm, microfiche, or other photo negatives) can be destroyed by using the safe and secure burn method. It is important to note that, when the material is burned, the residue must be reduced to white ash. Regardless of the secure destruction approach you adopt, it is important to document that the documents were properly destroyed. Take a look at this sample certificate of destruction.

By taking a few simple steps, such as purchasing shredders that remain in an employees’ CUI environment and having employees document when papers have been shredded/destroyed, your organization can ensure it remains in compliance with appropriate CUI handing requirements. This is true regardless of whether your employees continue to work from home even after the pandemic-related restrictions ease.

Author: Fernando Machado, CISSP, CISM, CISA, CEH