03.08.03 —
What this control requires
Source: NIST SP 800-171 R3 §03.08.03 (official control text).
Why this matters
Every hard drive, USB stick, copier, phone, and printer your organization retires or reassigns contains fragments of sensitive data — contract terms, employee records, technical drawings, financial projections. Simply deleting files or reformatting leaves these artifacts intact and recoverable with basic forensic tools. Media sanitization ensures that when devices leave your control — whether sold, donated, recycled, or reassigned to another employee — no CUI can be extracted. Without proper sanitization, a disposed laptop becomes a data breach waiting to happen, exposing customer information and intellectual property to competitors, criminals, or foreign adversaries.
What evidence assessors expect
Assessors typically look for: PDF, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on 03.08.03.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →