For C3PAO Assessors · Defense & Government ITAD

What a Clean Media-Sanitization Finding Looks Like

Most of a Level 2 assessment is network hygiene you can examine on screen. Then you reach 3.8.3, and the question changes from "is it configured?" to "where's the proof the drive was destroyed?" This is a reference on the disposition artifacts that resolve MP.L2-3.8.3 to MET on the first pass — why they so often don't, and what a properly credentialed ITAD changes for the file in front of you.

By Brian Boynton Published 11 min read ↓ PDF brief

Time until CMMC Phase 2 begins — November 10, 2026

Days
Hours
Minutes
Seconds

TL;DR

At control 3.8.3, a CMMC Level 2 assessment shifts from "is it configured?" to "where is the proof the drive was destroyed?" — and resolves to MET only when the disposition artifacts exist and reconcile.

  • The artifact set: a media-sanitization policy, serialized NIST 800-88 certificates by media type, chain of custody, and qualified downstream (R2v3 / NAID AAA).
  • 3.8.3 fails most often on missing serialized records or method/media mismatch, not on policy.
  • A properly credentialed ITAD supplies the evidence that closes the finding on the first pass.
  • CMMC Phase 2 begins November 10, 2026.

01 / THE FRICTION POINTThe control that's small on paper and slow in the room

A Level 2 assessment runs against 110 NIST SP 800-171 requirements and their 320 assessment objectives. Most resolve the way you'd expect — a policy, a configuration, a screen share, a log. Then there's 3.8.3: one line in the Media Protection family, easy to read past in the System Security Plan, and reliably the place where a strong program meets a paper trail that was never built.

The pattern is familiar. The organization spent two years hardening the network. Identity, boundary protection, logging — all evidenced. But nobody owned what happened to last year's decommissioned drives, the laptops from departed staff, or the multifunction printers that left on a lease return. The control is satisfied operationally; it just can't be shown.

Sequencing makes that gap expensive. In Phase 1 you confirm scope and verify the evidence exists and is accessible — you don't evaluate it yet, and the rules are explicit that the team offers no advice on how to improve it. In Phase 2 you examine, interview, and test it for adequacy and sufficiency. Disposition is where teams most often scramble to assemble records after the readiness check — and after-the-fact reconstruction is exactly what doesn't hold up under sampling.

Where disposition sits in the assessment
PhaseWhat happens to disposition evidence
Phase 1 — Planning / Pre-AssessmentScope confirmed; you verify the disposition records exist and are accessible. Not evaluated. No advice given.
Phase 2 — ConductExamine policy & certificates, interview the disposition owner, test by tracing a serial end-to-end — against adequacy & sufficiency.
Phase 3 — ReportingFindings recorded as MET / NOT MET / N/A; limited deficiencies may close within the window.
Phase 4 — POA&M closeoutEligible deficiencies remediated within 180 days — but highest-weighted requirements are not POA&M-eligible.

02 / THE CONTROL, PRECISELY3.8.3 and what its objectives actually demand

MP.L2-3.8.3 (NIST SP 800-171 §3.8.3) reads: sanitize or destroy system media containing CUI before disposal or release for reuse. The 800-171A assessment guide splits that into two determination statements you're scoring against: [a] media is sanitized or destroyed before disposal, and [b] media is sanitized or destroyed before release for reuse. Two paths to the same objective, each needing its own evidence.

3.8.3 rarely travels alone. It sits inside the Media Protection family alongside the controls you're often sampling in the same breath:

  • 3.8.1 / 3.8.2 — protect and limit access to media containing CUI, on paper and digital.
  • 3.8.4 — mark media with applicable CUI markings and distribution limitations.
  • 3.8.5 / 3.8.6 — control media during transport and cryptographically protect CUI in transit on portable media.

And the three assessment methods all apply: examine the policy, records, and certificates; interview whoever runs disposition about how it actually happens; test by observing the process or tracing one sampled device from its inventory retirement entry to its destruction record. A program that survives all three for a randomly sampled serial is the bar — not a binder that looks complete from across the table.

03 / WHAT GOOD EVIDENCE LOOKS LIKEThe artifact set that resolves on the first pass

The disposition evidence that holds up is not voluminous — it's reconcilable. Each retired CUI asset should trace cleanly from inventory to a sanitization or destruction event, and each event should name what was done and how. Here is the objective-to-artifact-to-method map an assessor can work straight down:

Evidence-to-method map for 3.8.3
What you're confirmingArtifact that shows itMethod
A defined sanitization standard existsWritten media-sanitization policy mapped to 3.8.3 and NIST 800-88Examine
Each retired device was handledSerialized, device-level disposition records reconciled to asset inventoryExamine / Test
The right method was appliedCertificate of sanitization or destruction citing the 800-88 tier by media typeExamine
Custody was unbrokenChain-of-custody documentation, facility to processorExamine / Interview
The downstream is qualifiedProcessor certifications — R2v3 and NAID AAAExamine
The process runs as describedDisposition owner can walk the workflow; a sampled serial traces end-to-endInterview / Test

Behind that map sits NIST SP 800-88, which gives three sanitization tiers. The defensible choice depends on media type, condition, and whether the media is leaving organizational control:

Tier 1

Clear

Logical techniques (overwrite) that protect against simple, non-invasive recovery. Appropriate for some reuse within the boundary — rarely sufficient on its own for media leaving organizational control.

Tier 2

Purge

Cryptographic erase or firmware-level techniques resistant to laboratory recovery. A verified Purge can satisfy 3.8.3 for media released for reuse — verification is the operative word.

Tier 3

Destroy

Shred, disintegrate, or incinerate so media can't be reused or reconstructed. The most defensible path for failed drives, end-of-life flash, and ITAR-adjacent media.

The single trait that separates evidence from paperwork is serialization that reconciles to inventory. A certificate naming a device by serial number, tied to that device's retirement entry, is sampleable in seconds. A certificate for "one pallet" or "assorted media" names nothing you can trace — and under examination, it isn't evidence that the objective was met for any particular asset.

04 / WHERE IT GOES WRONGThe deficiency patterns you've already seen

Most 3.8.3 findings that slide toward NOT MET or a POA&M share a small set of root causes. They're worth naming because each one is visible early in examination:

  • "We use a recycler." That answers the logistics question, not the evidence question. Vendor selection is not a sanitization record.
  • Inventory that won't reconcile. Assets last-seen in the inventory with no corresponding disposition event — the gap is the finding.
  • Deleted treated as destroyed. A quick format or file deletion isn't a Purge; SSD and flash wear-leveling leaves recoverable data behind.
  • Chain-of-custody gaps. No documented hand-off from the facility to the processor — custody can't be demonstrated for the window that matters most.
  • Unknown or uncredentialed downstream. No R2v3 or NAID AAA on the processor, so the organization can't actually show what happened after pickup.
  • ITAR technical data meeting a foreign person. Offshore downstream processing of ITAR-adjacent media can constitute an unauthorized export — a problem well outside the four corners of 3.8.3.

05 / SCOPING & THE C3PAO PROCESSDisposition doesn't leave scope when the power goes off

Scoping sets the terms. The assets that store, process, or transmit CUI define what disposition has to cover — and a retired CUI asset doesn't fall out of scope just because it's been unplugged and staged on a shelf. The drive in the decommission pile is still in-scope media until it's verifiably sanitized or destroyed. Asset inventory is therefore the spine the whole control hangs from: if the inventory can't account for what was retired, the disposition evidence has nothing to reconcile against.

Across the phases, disposition is a Phase 1 existence check and a Phase 2 sufficiency check. By the time you're sampling it, the question is binary in a way most controls aren't: the serialized record either exists or it doesn't, and it either reconciles or it doesn't.

You verify the evidence; you don't design the program, and you can't coach it into existence during the assessment. By the time disposition reaches your sampling, the artifacts are either there or they aren't. A contractor whose ITAD produces this evidence as a matter of routine is simply a faster, cleaner file — not because anyone steered them there, but because the records were built right the first time.

That independence boundary is the whole reason the upstream choices matter so much. The cleanest assessments are the ones where the disposition evidence was generated by the process itself — serialized at the point of destruction, certified to a method, custody-tracked — rather than reconstructed once an assessment appeared on the calendar.

06 / WHY A CREDENTIALED ITAD REDUCES FRICTIONWhat you recognize when you see it

R2v3 and NAID AAA are the recognized way an organization demonstrates its downstream is qualified. For an assessor, they do real work: they let you treat the processor's controls as evidenced rather than something you'd otherwise have to reconstruct from scratch. Pair recognized certifications with serialized certificates that cite the 800-88 method by media type and a documented chain of custody, and 3.8.3 resolves in the room instead of in a follow-up request.

CyberCrunch builds that evidence set by default — serialized certificates of sanitization and destruction, 800-88 method mapping by media type, documented chain of custody, domestic processing for ITAR-adjacent media, and witnessed destruction on request. We're naming it here not because an assessor would ever recommend a vendor — that's not the role — but because when this evidence shows up in a file, you recognize what good looks like, and the control moves.

The evidence set, on one reference you can keep

The disposition-evidence brief puts the objective-to-method map, the 800-88 tiers by media type, the deficiency patterns, and a sampling checklist on a few pages you can hand to a contractor asking what "good" looks like — or keep for your own reference.

Assessor FAQ

Does 3.8.3 require physical destruction of media?

No. The control requires media containing CUI be sanitized or destroyed before disposal or release for reuse. NIST 800-88's Clear / Purge / Destroy tiers give the options; the defensible choice depends on media type, condition, and whether the media leaves organizational control. Destruction is most defensible for failed drives, end-of-life flash, and ITAR-adjacent media, while a verified Purge can satisfy the objective for internal reuse.

What disposition artifacts should I expect to sample?

A policy mapped to 3.8.3; serialized device-level records reconciled to asset inventory; certificates citing the 800-88 method by media type; chain of custody from facility to processor; and downstream qualification via R2v3 and NAID AAA. The decisive trait is serialization that reconciles to inventory — a generic pallet-level certificate usually can't be sampled.

Can a disposition deficiency go on a POA&M?

Limited deficiencies may be eligible and closed within the window (up to 180 days after final recommended findings), but highest-weighted requirements aren't POA&M-eligible, and reconstructed disposition evidence rarely survives examination. It's far cleaner resolved as a MET when the evidence already exists.

How does ITAR change what I look for?

ITAR technical data on media stays export-controlled until destroyed. Export, or foreign-person access — including at an overseas downstream recycler — can be treated as an unauthorized export. For media that touched ITAR programs, look for documented domestic processing, verified chain of custody, and certificates of destruction tied to specific serials.

Is a recycler's certificate sufficient on its own?

Only if it's serialized to specific devices, names the 800-88 method, reconciles to inventory, and is backed by recognized certifications such as R2v3 and NAID AAA. A generic certificate for an unspecified quantity, with no serial detail and no chain of custody, generally can't be reconciled or sampled.