How Permanent Media Sanitization Helps in CMMC Compliance?

CMMC Certification is a compliance requirement for all contractors and subcontractors currently working with the Department of Defense. It follows the standards of NIST for cybersecurity readiness and countering the ever-growing threat of Cyberattacks. This article explores the nuances of CMMC and the relevance of Media Sanitization for CMMC compliance.

Cybersecurity Maturity Model Certification (CMMC) was launched by the Department of Defense (DoD) to ensure the safeguarding of sensitive information by providing an exhaustive structure to protect the Defense Industrial Base (DIB) from ever-increasing and complex cyber-attacks. DIB has been a frequent target of highly complex cyber adversaries and malicious non-state actors. Creating a robust cybersecurity architecture is critical for DoD to safeguard sensitive information from getting into the wrong hands. CMMC is an instrumental framework by the Department of Defense to strengthen the cybersecurity efforts of DIB.

What is CMMC?

CMMC is a Third Party compliance certification that assesses security standards as prescribed in Federal Acquisition Regulation (FAR 52.204-31) and the National Institute of Standards and Technology (NIST SP 800-171 & NIST SP 800-172). The certification is applicable for all Non-Federal entities or civilian organizations (government contractors, suppliers, vendors). It provides guidelines for vendors who process, store, or transmit Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). It is estimated that more than 300,000 contractors working within the DIB in the Department of Defense, National Aeronautics and Space Administration (NASA), and General Service Administration (GSA) would require a CMMC to be eligible for participation in any ongoing or future contract with these federal bodies.

Origins of CMMC:

Initially, the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 was the standard for all DoD contractors for safeguarding Covered Defense Information and Cyber Incident Reporting. It was updated to NIST SP 800-171 in January 2018, allowing contractors to self-assess their security framework and cybersecurity readiness. The response was underwhelming, to say the least, which prompted the launching of CMMC 1.0 in 2020. Interestingly it required assessment by third-party CMMC organizations (C3PAOs) which was in clear contrast to the earlier policies that didn’t allow 3rd party verification.

CMMC 1.0 contained over 171 controls spread over 5 levels:

Level 1 (Performed): Basic Cyber Hygiene with 17 Practices.

Level 2 (Documented): Intermediate Cyber Hygiene with 72 Practices.

Level 3 (Managed): Good Cyber Hygiene with 130 Practices.

Level 4 (Reviewed): Proactive with 156 Practices.

Level 5 (Optimizing): Advanced with 171 Practices.

CMMC Model 1.0

In November 2021, CMMC 2.0 was unveiled which was updated to safeguard sensitive information, helping DIB enhance cybersecurity, to ensure accountability while minimizing the challenges. In comparison to CMMC 1.0, the maturity processes have been removed as well as all CMMC's unique security practices. CMMC 2.0 is an enhanced program by the Department of Defense to strengthen the original data protection goal of CMMC 1.0. The new CMMC framework provides more simplicity by removing barriers to compliance, additional clarity through well-defined directives, and ease of execution. It offers advanced cybersecurity standards as well as third-party assessments for contracting organizations.

CMMC 2.0 has 3 Levels and 110+ controls, which are as follows:

Level 1: It is the foundational level containing 17 controls that apply only to DIB companies processing FCI that are not critical to national security. Level 1 requires DIB companies to self-assess annually.

Level 2: It is the advanced level containing 110 controls that applies to DIB companies that are working with CUI. It is completely aligned with NIST SP 800-171 and requires triennial third-party assessments for critical information (CUI prioritized acquisitions) and annual self-assessment for select programs (CUI non-prioritized acquisitions).

Level 3: It is the expert level containing 110+ controls that apply only to DIB companies processing CUI that are part of DOD's highest priority programs. Its requirements will be aligned with NIST SP 800-172 controls along with 110 controls of NIST SP 800-171. Level 3 would require triennial government-led assessments.

CMMC Model 2.0

Media Sanitization Requirements in CMMC 2.0:

In CMMC 2.0 Media Sanitization requirements have been described under Maintenance controls, Media Protection, and Personal Security that outline the need of Media Sanitization for CMMC compliance as follows:

LEVEL 1 CMMC 2.0 MEDIA SANITIZATION REQUIREMENTS:

1. Media Protection: 

[MP.L1-3.8.3] “Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.”

• Media Disposal requirement as per section 3.8.3 applies to all system media, digital and non-digital, subject to disposal or reuse. NIST 800-88 guidelines prescribe either shredding or destruction of media physically for disposal or through software-based erasure for reuse. CMMC-compliant data destruction would thus require utilizing NIST-approved software for secure and permanent destruction of data. 

LEVEL 2 CMMC 2.0 MEDIA SANITIZATION REQUIREMENTS

1. Maintenance:

    [MA.L2-3.7.1] “Perform maintenance on organizational systems.”

• Perform Maintenance: Under section 3.7.1, contractors are required to perform maintenance on organizational systems. Maintenance of systems require CMMC-compliant data destruction of ROT (Redundant, Obsolete & Trivial) data from all media devices. Using secure data erasure techniques contractors can fulfill media sanitization requirements for CMMC compliance.

    [MA.L2-3.7.3] “Ensure equipment removed for off-site maintenance is sanitized of any CUI.”

• Equipment Sanitization: Under section 3.7.3, contractors must ensure that equipment removed for off-site maintenance is sanitized of any CUI. This requirement can be achieved by implementing NIST 800-88 media sanitization guidelines which employ Clear, Purge & Destroy techniques for CMMC-compliant data destruction. Clearing and purging can be achieved using software-based overwriting techniques thereby fulfilling the media sanitization requirement for CMMC compliance.

2. Personnel Security:

[PS.L2-3.9.2] “Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.”

• Personnel Actions: Section 3.9.2 mandates the protection of data before reallocating the media in the event of personnel transfer. Secure and permanent media sanitization with professional data erasure software as discussed above can ensure that every reallocated media can be permanently wiped before reallocation.

Level 3 CMMC compliance standards are yet to be released. We welcome you to visit the CMMC website for more recent updates here.

BitRaser- An Ideal Solution to Meet CMMC 2.0 Media Sanitization Requirements

Data destruction has become an integral part of the security framework in every industry, with ever-evolving data protection laws and compliances coming into force. It can become a daunting task for companies to choose a procedure that not only adheres to their local laws but international compliances as well. NIST 800-88, the most widely employed data destruction method for both classified and non-classified data employs the Clear, Purge & Destroy approach. It covers a huge spectrum of devices and methods to opt for performing secure data sanitization.

BitRaser Data Eraser Software is NIST approved for its data wiping efficacy and adheres to 24 international data erasure standards. In CMMC 2.0, data sanitization is an integral part for meeting compliance, and here BitRaser fits perfectly. The tool not only sanitizes the data by using the best practices of data overwriting but also verifies the result and prepares audit-ready certified reports that comply with NIST 800-88 guidelines for media sanitization. BitRaser wiping solution performs verification of the sanitization process to ensure that all addressable locations have been securely sanitized thereby ensuring CMMC-compliant data destruction. The tool offers a centralized cloud repository of reports for easy access. A software like BitRaser not only ensures Media Sanitization for CMMC compliance but can also be used for all end-of-life data needs, which mitigates the risk of a data breach or residual data fallout.

FAQs