Supplier confirmation requirements in Core 7-Data Security

Q:     Under Core Requirement 7.(c)(1), an R2 Facility must confirm certain details with a supplier when receiving equipment or components that may contain data.  But, what if it is unknown whether devices will have data on them, or if there will even be data devices in a load?

It is important to note that the supplier confirmation is required for receipt of anything that “may” contain data.  And, as per Core Requirement 6.(b)(2), all equipment and components must be managed as an R2 Controlled Stream* and treated as Pre-Sanitization* until it can be demonstrated otherwise.  This means that unless an R2 Facility can verify the incoming equipment or material is non-data containing, it should provide the necessary notifications, so that the supplier is aware that the items have been received and advised as to how any data devices will be sanitized.
*For more information about R2 Controlled Streams and Pre-Sanitization categories, watch the REC training video on our YouTube channel.

Q:     What types of records could be used to provide supplier confirmations under Core 7.(c)(1)?

Core 7.(c)(1) consists of three unique parts so the records used to confirm the different activities with the supplier may vary.

First, in Core 7.(c)(1)(A) the R2 Facility must have a method to confirm the receipt of any equipment or components that may contain data.  This provides the supplier notice that the equipment has been received by the facility.  R2 Facilities may have a process for emailing suppliers upon receipt of a shipment or providing copies of transportation records or receiving paperwork.

Second, in Core 7.(c)(1)(B) the R2 Facility must confirm the method to be used to sanitize devices.  Methods can be:

• • A logical sanitization method in accordance with an Appendix B certified process;
  • A physical destruction method in accordance with an Appendix B certified process; or
  • A physical destruction method in accordance with NIST 800-88 Appendix A.

Confirmation of the data sanitization method can be provided in the same communication as implemented in Core 7.(c)(1)(A), or another option could be to include it in a contract or other processing agreement.  In the case of collection event or something similar, the R2 Facility may also use a form of general notice such as signage and pamphlets to communicate the required information.

Lastly, in Core 7.(c)(1)(C) the R2 Facility is required to confirm whether the sanitization will be performed internally by the R2 Facility or externally using a downstream vendor.  Again, this confirmation could be included in any of the methods outlined above.

NOTE:  These three notification requirements should not be confused with Core 7.(a)(1)(L) where the R2 Facility is required to maintain specific sanitization records for the equipment and components processed.

Q:      Is there a specified timeframe for providing the confirmations to suppliers under Core 7.(c)(1)?

No, there is no specifically indicated notification timeframe, but it is expected that suppliers would be notified as soon as reasonably practicable.