MP-6(5): Classified Information

MP-6(5) requires you to implement controlled, verifiable media sanitization and disposal procedures specifically for media that contains classified information, and to be able to prove it on demand. Operationalize it by scoping where classified data can exist, assigning a single accountable owner, standardizing destruction/sanitization methods, and retaining chain-of-custody and destruction evidence tied to each asset and event. ¹

Key takeaways:

• Treat “classified media” as a special handling path with stricter approvals, custody, and evidence than standard MP-6.
• Your audit pass/fail hinges on traceability: asset identity → classification → sanitization method → custody → disposal proof.
• If you cannot show recurring evidence (logs, certificates, tickets, witness records), the control is effectively “not implemented.”

MP-6 is the NIST SP 800-53 Media Sanitization control family; enhancement (5) focuses on classified information. For a CCO, GRC lead, or compliance officer, the fast path is to translate “classified information” into an operational workflow: where it may be stored, who can touch it, what methods are approved to sanitize or destroy it, and what proof you will retain. This control is rarely “hard” because teams lack tools; it fails because teams lack boundaries (what counts as classified media in your environment) and evidence discipline (how you prove each disposal event was handled correctly).

MP-6(5) also creates immediate third-party risk implications. If a third party handles classified data (cloud, hosting, managed services, e-waste, device repair, printing), your internal policy is not enough. You need contract language, a clear custody model, and evidence from the third party that maps to your procedure.

This page is written to help you implement the mp-6(5): classified information requirement quickly: define scope, build a repeatable runbook, integrate it with asset management and ticketing, and retain artifacts that satisfy assessors. ²

Regulatory text

Control requirement (excerpt): “NIST SP 800-53 control MP-6.5.” ¹

What an operator must do with that text: In practice, MP-6(5) means your media sanitization program must include a distinct, higher-assurance process for media containing classified information, with stronger handling controls and stronger proof than you would accept for non-classified media. Your implementation should make it hard for classified media to be lost, mixed into standard e-waste, or sanitized with an unapproved method, and it should make it easy to show auditors exactly what happened to each item. ²

Plain-English interpretation (what “good” looks like)

You must be able to answer, with evidence:

1. Where classified information can reside (endpoints, removable media, servers, backups, print outputs, lab systems).
2. How you identify and label it (classification marking, asset tagging, inventory linkage).
3. How you sanitize or destroy it using approved methods for your environment.
4. How you control custody from discovery to final disposal.
5. How you prove completion (who did what, when, using what method, and what confirmation exists).

If your process relies on “we usually shred drives” or “the recycler handles it,” expect control failure. MP-6(5) is an evidence-forward requirement. ²

Who it applies to (entity and operational context)

MP-6(5) is relevant when you operate under NIST SP 800-53 and handle classified information in any form. Typical applicability:

• Federal information systems processing or storing classified data.
• Contractor systems handling federal data where classified data is present in scope (for example, classified programs or environments). ¹

Operational contexts where teams get surprised by scope:

• Endpoint fleets used by cleared staff (laptops, tablets, phones).
• Removable media and “sneakernet” workflows (USB, external drives).
• Backup media (tape libraries, offline backups, cold storage exports).
• Printer/copier/scanner internal storage, fax servers, MFD hard drives.
• Lab/test rigs that receive production datasets.
• Third parties providing ITAD (IT asset disposition), device repair, managed hosting, or secure destruction.

What you actually need to do (step-by-step)

Step 1: Define “classified media” in your environment (scope and triggers)

Create a short scoping statement that is enforceable:

• What classifications are in scope (by your program rules).
• What media types are in scope: digital (SSD/HDD/USB), paper, optical, mobile devices, embedded storage (MFDs), and backups.
• Trigger events: decommission, break/fix, reassignment, return from remote staff, incident containment, and third-party offboarding.

Output: “Classified Media Handling Standard” (one pager) plus a data flow view showing where classified data may land.

Step 2: Assign a single accountable owner and decision authority

Name a control owner with authority across IT, security, and facilities. Then define approvers for:

• Declaring an asset “classified media”
• Selecting sanitization vs. destruction
• Authorizing third-party transfer or offsite destruction

Practical tip: If approvals live in email, you will fail evidence review. Put approvals in your ticketing system.

Step 3: Build a classified media inventory workflow (tie it to asset management)

You need traceability from asset record to disposal record:

• Asset ID/serial number
• System name / location
• Classification level (or “contains classified information” flag)
• Custodian and storage location
• Final disposition status (pending sanitization, destroyed, transferred to destruction vendor, etc.)

Minimum operational requirement: the inventory must prevent anonymous disposal. If an item cannot be identified, it cannot enter the classified disposal stream.

Step 4: Standardize sanitization and destruction methods (and when to use each)

Define which methods are allowed for each media type and classification condition, and who can perform them. Your method matrix should include:

• Media type (SSD, HDD, tape, paper, mobile, optical)
• Allowed method(s) (sanitize vs destroy)
• Required tooling (approved wiping tools, degausser, shredder specs as applicable to your program)
• Required witnesses or dual control (if your program requires it)
• Post-action verification (tool output logs, inspection steps, or destruction certificate)

Control objective: consistent, pre-approved methods with documented verification, not ad hoc technician judgment. ²

Step 5: Implement chain-of-custody controls from “identified” to “gone”

Create a custody model with explicit handoffs:

• Secure collection (tamper-evident bag/locked container if applicable)
• Secure storage location for pending destruction
• Transfer procedure (internal courier rules, restricted access, sign-in/out)
• Third-party transfer procedure (authorized carriers, packaging, tracking, receipt confirmation)

Operational requirement: every handoff produces a record. If you cannot reconstruct custody, treat it as an incident and investigate.

Step 6: Add third-party requirements where any external party touches media

If a third party participates (ITAD, shredding, repair, managed service):

• Contract clauses for classified handling obligations, permitted methods, and evidence delivery
• Right-to-audit language aligned to your program
• Evidence SLAs (what they deliver: destruction certificate, serial list, date/time, method)
• Subcontractor restrictions (no unapproved onward transfer)

Reality check: A “certificate of destruction” that does not list serial numbers often fails traceability. Require itemized evidence.

Step 7: Make evidence collection automatic (or at least default)

Decide where evidence will live and how it is linked:

• Ticketing system as the system of record
• Attachments: wiping logs, photos of shredded material (if permitted), signed custody forms, vendor certificates
• Required fields: asset ID, classification flag, method used, approvals, dates, operators/witnesses

Daydream (or any GRC system you use) fits best here as a control-to-evidence map: you assign the MP-6(5) owner, link the SOP, and schedule recurring evidence pulls so the control stays assessment-ready rather than rebuilt at audit time. ¹

Required evidence and artifacts to retain

Retain artifacts that prove both design (your rules) and operating effectiveness (what you did):

Design artifacts

• Media sanitization and disposal policy with a classified handling section (MP-6 family alignment)
• Classified media method matrix (by media type)
• Roles and responsibilities (owner, approvers, operators, witnesses)
• Third-party contract addenda / security exhibits covering classified media handling
• Training requirements for staff who execute the process

Operational artifacts

• Classified media inventory extracts (asset list with disposition states)
• Tickets or work orders for each sanitization/destruction event
• Chain-of-custody forms (signatures, dates, locations)
• Tool logs or system output for sanitization steps (where applicable)
• Vendor destruction certificates with itemized asset identifiers
• Exception approvals (for any nonstandard handling) plus documented compensating controls

Retention note: Set retention based on your organization’s records schedule and program requirements; auditors typically care that you can produce complete records for sampled events.

Common exam/audit questions and hangups

Assessors tend to probe the same weak points:

• “Show me the inventory of media that contained classified information and its final disposition.”
  Hangup: assets not tagged, or disposal records not linked to asset IDs.

• “How do you prevent classified media from entering the standard e-waste stream?”
  Hangup: no physical segregation, no labeled bins, no documented gate checks.

• “Who approved this destruction method?”
  Hangup: informal approvals, missing role authority, or technician-selected methods.

• “Prove chain of custody for these sampled serial numbers.”
  Hangup: third-party receipts missing serials, or internal handoffs not documented.

• “What happens when a device is lost before sanitization?”
  Hangup: no incident playbook that connects media loss to IR and reporting.

Frequent implementation mistakes (and how to avoid them)

1. Treating MP-6(5) like generic device disposal.
   Fix: create a distinct “classified media” workflow with separate storage, approvals, and evidence requirements.

2. Relying on a third party’s generic certificate.
   Fix: require itemized serial-number evidence and defined methods in the contract.

3. No operational trigger for break/fix or loaners.
   Fix: add workflow triggers in ITSM for repair tickets, RMAs, and device returns.

4. Inventory and tickets don’t match.
   Fix: enforce mandatory asset ID fields in tickets; block closure without evidence attachments.

5. Evidence exists but can’t be produced quickly.
   Fix: store artifacts in a single system of record and run periodic “evidence readiness” checks.

Enforcement context and risk implications

No public enforcement cases were provided in the supplied source catalog for this requirement, so this page does not cite specific cases. ¹

Risk-wise, classified media mishandling tends to create severe downstream exposure: incident response, contractual breach, program impacts, and loss of authorization to operate. Treat MP-6(5) as a prevention control with audit-grade documentation, not as facilities housekeeping. ²

Practical 30/60/90-day execution plan

First 30 days (stabilize scope and ownership)

• Assign MP-6(5) owner, operators, and approvers; document RACI.
• Write the “classified media” scoping definition and triggers.
• Identify all third parties who might touch storage media in-scope (ITAD, repair, cloud ops, managed services).
• Draft the method matrix and custody workflow; pilot with one team (IT ops or security).

By 60 days (operationalize workflow and evidence)

• Integrate asset tagging: add “classified media” flag and required fields.
• Implement ticket templates with required evidence fields and approvals.
• Establish secure holding area and documented sign-in/out controls.
• Update third-party contracts or issue addenda for itemized destruction evidence.

By 90 days (prove effectiveness and close gaps)

• Run a tabletop on a “lost before destruction” scenario and refine procedures.
• Perform an internal sample test: pick a handful of disposed assets and reconstruct custody end-to-end.
• Train all staff who can initiate or execute media disposal; track completion.
• Set recurring evidence collection and periodic control testing in your GRC workflow (Daydream or equivalent) so MP-6(5) stays current between assessments.

Frequently Asked Questions

Does MP-6(5) apply if we “never intentionally store” classified data on endpoints?

If classified data can land on endpoints through operational reality (downloads, email, screenshots, printing), treat endpoints as in-scope and enforce disposal controls. Scope is about plausible data residence, not intent. ²

What evidence is most likely to fail an audit?

Non-itemized destruction certificates and missing chain-of-custody records are common failures because they break traceability from asset to disposal event. Tie every record to an asset identifier and store it with the ticket. ²

Can we sanitize instead of physically destroying drives?

MP-6(5) expects you to use methods appropriate for classified information; your program rules determine whether sanitization is acceptable for specific media types. Document the decision logic in your method matrix and require approval for any exceptions. ²

How do we handle cloud or virtual media where there is no physical drive to shred?

Treat “media” as the logical storage objects and lifecycle events you control (snapshots, backups, exports) and require provider evidence that maps to your sanitization requirements. Capture provider attestations, deletion logs, and contract commitments as artifacts. ²

What about printers and multifunction devices?

Many MFDs have internal storage; include them in your asset inventory, apply the same classified disposal workflow at end-of-life, and ensure service/repair workflows do not introduce uncontrolled third-party access. ²

How do we operationalize MP-6(5) across multiple sites?

Standardize the workflow, forms, and evidence requirements centrally, then designate site custodians responsible for custody and storage controls locally. Audit with periodic sampling to confirm sites follow the same chain-of-custody rules. ²

Footnotes

1. NIST SP 800-53 Rev. 5 OSCAL JSON

2. NIST SP 800-53 Rev. 5