MP-6: Media Sanitization

Media sanitization failures rarely look dramatic internally. They show up as an “old laptop donated,” a “returned leased copier,” a “failed drive tossed,” or a “cloud snapshot copied to a lab account.” MP-6 forces you to treat each of those moments as a controlled security event with a defined method, a responsible owner, and recorded evidence.

This page is written for a Compliance Officer, CCO, or GRC lead who needs to implement the mp-6: media sanitization requirement quickly and defensibly. The practical goal is simple: no media leaves organizational control, and no media gets reused, until you can show it was sanitized using your approved approach for that media and data sensitivity. The operational challenge is also simple: media exists everywhere (endpoints, servers, removable storage, printers, lab gear, cloud exports), and disposal/reuse is often decentralized across IT, facilities, security, and third parties.

MP-6 is assessed like an operational control. Auditors look for consistent execution, not a policy that only covers laptops. Your “win condition” is a documented, end-to-end process that is hard to bypass and easy to evidence.

Regulatory text

Requirement (excerpt): “Sanitize {{ insert: param, mp-6_prm_1 }} prior to disposal, release out of organizational control, or release for reuse using {{ insert: param, mp-6_prm_2 }}; and” ¹

Operator interpretation of the placeholders: NIST expresses MP-6 with organization-defined parameters. In practice, you must define (1) what media is in scope for sanitization and (2) what sanitization methods are acceptable for each scenario and media type, then execute those methods before the media is disposed of, leaves your custody, or is reused. ²

Plain-English interpretation

You need a controlled, documented way to remove data from devices and storage so it cannot be recovered, before:

• Disposal (trash, recycling, e-waste pickup, destruction),
• Release out of control (returns to lessor, RMA to manufacturer, donation, resale, third-party repair, data center decommissioning handled by a third party),
• Reuse (reassigning a laptop, reimaging a server, repurposing removable media, redeploying lab equipment).

MP-6 is not “wipe drives sometimes.” It is “no exit or reuse without sanitization evidence tied to the asset and method.”

Who it applies to

Entities

• Federal information systems and contractor systems handling federal data commonly map MP-6 directly, including environments aligning to NIST SP 800-53 Rev. 5. ²

Operational contexts (where MP-6 breaks most often)

• End-user computing: laptops, desktops, mobile devices, external drives.
• Data center & infrastructure: server drives, storage arrays, backup media, network appliances with storage.
• Office “hidden storage”: MFDs/copiers/printers, badge systems, conferencing devices.
• Cloud and virtualization: exported images, snapshots, virtual disks moved across accounts or tenants.
• Third-party touchpoints: leased equipment returns, warranty returns, repair depots, e-waste recyclers, ITAD providers.

What you actually need to do (step-by-step)

1) Assign ownership and boundaries

• Name a control owner (often IT Asset Management or Information Security) and an approver for exceptions (GRC/InfoSec).
• Define “out of organizational control” in your environment (e.g., any transfer to a third party, any shipment, any return to a lessor, any donation/resale).

Deliverable: MP-6 control statement with roles, scope, and enforcement points ²

2) Define media in scope (your MP-6 parameter #1)

Create a media taxonomy and include at least:

• Magnetic, solid-state, optical, removable media
• Embedded storage (printers, network gear, IoT, OT where applicable)
• Virtual media artifacts (images, snapshots) where they can be transferred or reused

Practical tip: start from your asset inventory categories, then add “non-obvious storage” explicitly (MFDs, conference bars, lab instruments).

3) Define approved sanitization methods (your MP-6 parameter #2)

Create a decision matrix that maps media type + data sensitivity + disposition scenario to an approved method and verification requirement.

Example decision matrix (adapt to your standards): | Media / scenario | Reuse inside org | Release to third party | Disposal/destruction | |---|---|---| | SSD in laptop | Cryptographic erase or secure wipe; verify completion | Prefer physical destruction or vendor-approved method with evidence | Physical destruction + certificate | | HDD in server | Secure wipe; verify logs | Physical destruction or wipe + chain-of-custody | Physical destruction + certificate | | Printer/copier internal storage | Factory reset plus storage wipe steps; document model procedure | Treat as release; sanitize before pickup | Treat as disposal; sanitize then destroy if required |

Keep it “auditable”: each row should specify (a) the tool/process used, (b) who performs it, (c) what proof is produced.

4) Build a single intake workflow for disposal, release, and reuse

Operationalize MP-6 by forcing events through a workflow:

1. Request to dispose/release/reuse submitted via ticketing system.
2. Asset identification (asset tag/serial, owner, system, data classification).
3. Custody check (confirm the device/media is physically secured while awaiting sanitization).
4. Sanitization execution using the approved method for that media.
5. Verification (tool output/logs, second-person check for high-risk media, or spot-check sampling rules you define).
6. Approval to release (gate: no shipment/pickup without sign-off).
7. Close-out with evidence attached and inventory updated (status changed to “sanitized and disposed,” “sanitized and reassigned,” etc.).

Design goal: facilities cannot schedule e-waste pickup until the ticket reaches the “approved to release” state.

5) Control third-party involvement (ITAD, recyclers, repair depots, lessors)

If a third party touches media:

• Put sanitization requirements in the contract/SOW: method, timing (before transfer when feasible), chain-of-custody, certificates, breach notification, and right to audit.
• Require Certificates of Sanitization/Destruction that reference serial numbers or asset tags.
• Confirm secure transport and custody controls (sealed containers, documented handoffs).

If your model relies on the third party sanitizing after pickup, treat that as higher risk. In that case, tighten chain-of-custody and acceptance criteria for certificates.

6) Handle exceptions explicitly

Common exception cases: damaged drives, encryption unknown, device won’t boot, remote sites without tools.

• Define an exception path with compensating controls (e.g., physical destruction).
• Require documented approval and rationale.
• Track exception volume; repeated exceptions often point to tool/process gaps.

7) Train and test the process

• Train IT, facilities, and any local site coordinators on “no ticket, no release.”
• Run periodic tabletop checks: pick a random disposed asset and prove the evidence chain from inventory → ticket → method → certificate.

Required evidence and artifacts to retain

Auditors typically want traceability from asset → sanitization action → proof. Retain:

• Media sanitization policy/standard with your defined scope and approved methods ²
• Procedures/runbooks by media type (endpoints, servers, MFDs, removable media)
• Asset inventory extracts showing lifecycle status and assigned owners
• Tickets/records for each disposal/release/reuse event
• Sanitization logs/tool outputs (wipe reports, crypto-erase confirmations)
• Certificates of destruction/sanitization from third parties, tied to serial/asset tag
• Chain-of-custody records (handoff forms, shipment tracking where applicable)
• Exception approvals and compensating control documentation
• Sampling/verification results and periodic control checks

Operational tip: standardize filenames and required ticket attachments. Evidence that is “somewhere in email” fails under exam pressure.

Common exam/audit questions and hangups

1. “Show me three examples where media left your control. Prove sanitization happened first.”
   Hangup: teams show a policy but cannot produce event-level records.

2. “How do you cover copiers, printers, and network devices?”
   Hangup: asset inventory excludes them; no model-specific procedure.

3. “What prevents a local office from tossing devices without IT involvement?”
   Hangup: the process is optional, not enforced through facilities/e-waste workflow.

4. “How do you govern ITAD providers and lessors?”
   Hangup: certificates don’t list serials; chain-of-custody is weak.

5. “How do you address damaged drives?”
   Hangup: no defined exception path, so people improvise.

Frequent implementation mistakes and how to avoid them

• Mistake: Treating “reimage” as sanitization for every scenario.
  Fix: distinguish reuse vs release. Reuse may allow wipe + verification; release often needs stronger handling and custody proof.

• Mistake: No link between inventory and sanitization evidence.
  Fix: require asset tag/serial in every ticket and certificate. Make closure contingent on that linkage.

• Mistake: Delegating to a third party without enforceable acceptance criteria.
  Fix: define what a “valid certificate” contains, and reject incomplete certificates.

• Mistake: Forgetting non-obvious media.
  Fix: add “embedded storage” classes to the inventory and procedures; require the same gate before pickup/return.

• Mistake: Evidence scattered across tools.
  Fix: pick a system of record (ticketing or GRC) and attach or link all artifacts there.

Risk implications (what goes wrong if MP-6 is weak)

MP-6 failures create two types of exposure:

• Data exposure risk: recoverable data on disposed or transferred media can become an incident with downstream notification, contractual breach, or regulatory scrutiny depending on the data type.
• Assurance risk: even without a known breach, inability to prove sanitization undermines system authorization and audit outcomes in NIST-aligned programs. ²

A practical 30/60/90-day execution plan

First 30 days (establish control design)

• Assign owner(s), define scope, and publish an MP-6 standard mapped to media types and scenarios. ²
• Inventory alignment: confirm you can identify endpoints, servers/storage media, and MFDs with unique identifiers.
• Build the ticket workflow and required fields/attachments; set the “no release without approval” gate.
• Contract review: identify third parties involved in disposal/returns and list required evidence (certificates, custody records).

Day 31–60 (pilot and enforce)

• Pilot the workflow with one business unit and one data center/disposal stream.
• Train IT + facilities + local site contacts; publish a one-page “how to dispose/return equipment” SOP.
• Start collecting certificates and validating quality; reject certificates that cannot be tied to assets.
• Define exception handling and approval steps; test it on a damaged device scenario.

Day 61–90 (operationalize and audit-proof)

• Expand to all sites and all media classes, including printers/copiers and network gear.
• Run an internal mini-audit: sample recent disposals/releases/reuse and verify the full evidence chain.
• Add recurring checks (spot checks, inventory reconciliation, vendor certificate review).
• Map MP-6 to a control owner, procedure, and recurring evidence artifacts in your GRC system. Daydream is a natural place to keep the control narrative, route evidence to a single record, and stay assessment-ready without rebuilding screenshots every audit cycle. ¹

Frequently Asked Questions

Does MP-6 apply to cloud resources like snapshots and images?

Yes if those artifacts can be released outside your control or reused in ways that expose prior data. Define cloud media handling in your scope and require documented deletion/sanitization steps tied to change records. ²

What counts as “release out of organizational control”?

Any situation where you no longer control custody or access, including donations, resale, lessor returns, RMAs, repair depots, and third-party e-waste pickup. Write the definition into your procedure so sites don’t guess.

Can we rely on full-disk encryption and just dispose of devices?

You can allow cryptographic erase or equivalent methods if you define them as approved methods for that media type and scenario, and you retain evidence that the method was executed. Auditors still expect a record per event, not a general statement. ²

What evidence is “good enough” for an ITAD provider’s destruction certificate?

Require asset-level traceability (serial/asset tag), date, method, and a chain-of-custody link to your pickup or shipment. If the certificate only shows aggregate counts, you will struggle to prove specific media was sanitized.

How do we handle a failed drive that can’t be wiped?

Route it through the exception path and default to physical destruction with custody documentation. Record the reason wiping was not possible and who approved the exception.

Who should own MP-6: IT, Security, or Facilities?

Security or GRC usually owns the requirement, but IT Asset Management or IT Operations should run the workflow day-to-day. Facilities should not be able to dispose of equipment outside the workflow.

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5