Implement a system disposal strategy and execute required actions when a system is removed from operation.
Potential Inputs: Security and privacy plans; organization- and system-level risk assessment results; system component inventory.
Expected Outputs: Disposal strategy; updated system component inventory; updated security and privacy plans.
Primary Responsibility: System Owner.
Supporting Roles: Authorizing Official or Authorizing Official Designated Representative; Information Owner or Steward; System Security Officer; System Privacy Officer; Senior Accountable Official for Risk Management or Risk Executive (Function); Senior Agency Information Security Officer; Senior Agency Official for Privacy.
System Development Life Cycle Phase: New – Not Applicable. Existing – Disposal.
Discussion: When a system is removed from operation, several risk management actions are required. Organizations ensure that controls addressing system disposal are implemented. Examples include media sanitization; configuration management and control; component authenticity; and record retention. Organizational tracking and management systems (including inventory systems) are updated to indicate the system that is being removed from service. Security and privacy posture reports reflect the security and privacy status of the system. Users and application owners hosted on the disposed system are notified as appropriate, and any control inheritance relationships are reviewed and assessed for impact. This task also applies to system elements that are removed from operation. Organizations removing a system from operation update the inventory of information systems to reflect the removal. System owners and security personnel ensure that disposed systems comply with relevant federal laws, regulations, directives, policies, and standards.
References: [SP 800-30]; [SP 800-88]; [IR 8062].