3.7.3 — Wipe Before Repair

The One-Liner

A device going to the vendor with CUI on it is a data breach waiting to happen.

What It Says

Ensure equipment removed for off-site maintenance is sanitized of any CUI.

What It Actually Means

Before any CUI system leaves your controlled environment for repair, maintenance, or vendor support, all CUI must be removed. This means: wipe drives per NIST SP 800-88, remove any removable media, verify sanitization, and document the process. Failed drives that can’t be wiped must be physically destroyed — not shipped.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is equipment sanitized of CUI before off-site maintenance?	Sanitization records showing method (wipe, degauss, destroy), date, device, and person who performed it

---

What to Have Ready on Assessment Day

Documents they’ll review: Maintenance policy; sanitization procedures; sanitization records; media destruction records; NIST 800-88 reference; system security plan

People they’ll talk to: Maintenance personnel; information security personnel; anyone who performs sanitization

Live demos they’ll ask for: “Show me your sanitization procedure.” “Show me records from the last device sent for repair.” “What do you do with a failed drive that can’t be wiped?”

---

The Assessor’s Playbook

• “Show me your sanitization procedure for equipment going off-site.”
• “When was the last device sent for repair? Show me the sanitization record.”
• “What method do you use — overwrite, degauss, or destroy? Is it per NIST 800-88?”
• “What happens with failed drives that can’t be sanitized?”

Real-World Example

A server develops a hardware fault and needs vendor repair. Before shipping, the two sysadmins remove the data drives and retain them on-site — only the chassis and non-storage components ship to the vendor. The sanitization record documents: server asset tag, drives retained (serial numbers), sanitization method (physical retention rather than shipment), date, and the sysadmin who performed the work. For a failed drive that can’t be wiped, the contractor uses a degaussing unit and then physically shreds the drive, with a destruction certificate filed.

---

Where Companies Trip Up

No sanitization. Equipment shipped with CUI intact. Always wipe or remove data storage before shipping.

No documentation. CUI was removed but nobody recorded it. Keep sanitization records for every device.

Failed drives shipped. A drive that can’t be wiped is sent to the vendor anyway. Destroy it instead — degauss and shred per NIST 800-88.

---

How to Talk About This

To a CEO or Board

No device leaves our facility with CUI on it. We either wipe the data or retain the drives on-site. Failed drives are physically destroyed with documented certificates.

To an Engineering Team

Off-site maintenance procedure: remove/wipe data storage before shipping. NIST 800-88 methods. Failed drives: degauss + shred. Destruction certificates filed. Sanitization records: device, method, date, person.

---

Connected Requirements

Requirement	Why it matters here
3.8.3 — Destroy It Properly	Media sanitization standards apply here
3.7.1 — Maintain on Schedule	Maintenance processes that may trigger off-site repair
3.8.6 — Encrypt Media in Transit	If data must travel, encryption is required

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: MA.L2-3.7.3 | SPRS Weight: 1 point | POA&M Eligible: Yes