MA-3(3): Prevent Unauthorized Removal

Control Family:


CSF v1.1 References:

Threats Addressed:


  • High

Next Version:

Control Statement

The organization prevents the unauthorized removal of maintenance equipment containing organizational information by:

  1. Verifying that there is no organizational information contained on the equipment;
  2. Sanitizing or destroying the equipment;
  3. Retaining the equipment within the facility; or
  4. Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility.

Supplemental Guidance

Organizational information includes all information specifically owned by organizations and information provided to organizations in which organizations serve as information stewards.