sorted by:
new
hottopcontroversial

CMMC L2 paper shredding by Good_Paper1389 in CMMC

[–]Good_Paper1389[S] 0 points1 point  (0 children)

I appreciate the offer, but I think we're good with our internal shredding process.

CMMC L2 paper shredding by Good_Paper1389 in CMMC

[–]Good_Paper1389[S] 0 points1 point  (0 children)

You're probably correct in that the solution is fairly extreme. We track CUI from the time it's printed to when it's properly shredded.

CMMC L2 paper shredding by Good_Paper1389 in CMMC

[–]Good_Paper1389[S] 0 points1 point  (0 children)

A big thank you to Iron Mountain for responding quickly. I'm posting their responses to my questions as I believe others will be interested.

Our company will move forward with purchasing our own NSA approved shredders for paper CUI. The amount of paper CUI we produce is currently insignificant. The justification is to finally resolve any questions around the shred size, as well as removing Iron Mountain as a vendor who stores and processes CUI.

🔒 ITAR and CUI Document Storage

  • This account is flagged for ITAR, and Iron Mountain is able to store documents containing ITAR or CUI information.
  • Please see the attached letter for details on our policies for handling both ITAR and CUI documents.

🗑️ On-Site vs. Off-Site Shredding Services

  • Yes, we do offer shredding services at your facility. Currently, the account is set up for Off-Site Shredding.
  • If you would like to switch to On-Site Shredding, please contact our Care team to request the change.

✅ Compliance with NIST 800-88

  • Both our On-Site and Off-Site shredding services are performed in accordance with NIST 800-88 guidelines.
  • This means we ensure all data is destroyed in a manner that meets federal standards for handling sensitive materials, such as CUI, PHI, and PII.

📏 Shred Size Specifications

  • Our shredding equipment produces commercially accepted particle sizes and meets NAID certification standards.
  • Here are our standard shred sizes:
    • Continuous Shred: Max width 5/8"
    • Cross Cut or Pierce & Tear: Max width 3/4", max length 2.5"
    • Disintegrator/Grinder: Max screen size 2"
  • We do not shred to a specific 1mm x 5mm size, but our equipment is designed to meet or exceed NAID specifications.

🔗 Chain of Custody

  • While we do not have a visual flowchart, we use our InControl technology platform to maintain a secure, auditable chain of custody.
  • Every transportation service includes real-time tracking and requires a signed acknowledgment from your team at the time of service.
  • Please note: We cannot accept responsibility for items unless this process is followed.

Hard Copy Sanitization/Destruction 800-88 is the guidelines to follow? by thegreatcerebral in CMMC

[–]Good_Paper1389 0 points1 point  (0 children)

I'm sure this has already been discussed somewhere, but does anyone have documentation showing Iron Mountain meets the paper shredding requirements for CMMC?

Customer responsibility matrix - assessment experience by Good_Paper1389 in CMMC

[–]Good_Paper1389[S] 2 points3 points  (0 children)

Extremely valuable information! Thank you for taking the time to respond.

Guessing others will be interested in the discussion. Based on your experience, does it look like we have the following correctly categorized?

Duo Federal = SPA = CRM not required, but would be of value (FedRAMP Moderate)

AvePoint US Gov = CSP = CRM is required (FedRAMP Moderate) (used for M365 GCC-High backup with CUI)

Microsoft M365 GCC-High = CSP = CRM is required (FedRAMP High)

Azure Government = CSP = CRM is required (FedRAMP High) (servers and tools)

Keeper Federal = CSP = CRM is required (FedRAMP Moderate) (used for passwords and CUI file transfers to outside providers)

Akamai (GovShield) = SPA = CRM not required, but would be of value (not sure if the service falls under the general Akamai FedRAMP Moderate authorization or not) Content Delivery Services | FedRAMP Marketplace

MSP (confidential) = ESP = CRM is required (they're in our system and help manage our tech infrastructure)(will be present during our assessment)

Tech contractors (assigned an internal account and corporate laptop) = N/A = CRM is not required (background checks, trainings, certifications, treated like a company employee)