MA-3(3): Prevent Unauthorized Removal

Control Family:


CSF v1.1 References:

Threats Addressed:


  • Moderate
  • High

Previous Version:

Control Statement

Prevent the removal of maintenance equipment containing organizational information by:

  1. Verifying that there is no organizational information contained on the equipment;
  2. Sanitizing or destroying the equipment;
  3. Retaining the equipment within the facility; or
  4. Obtaining an exemption from [Assignment: organization-defined personnel or roles] explicitly authorizing removal of the equipment from the facility.

Supplemental Guidance

Organizational information includes all information owned by organizations and any information provided to organizations for which the organizations serve as information stewards.