Compliance · Defense & Government ITAD

CUI Doesn't Stop Being CUI When the Hardware Retires

CMMC Phase 2 assessments begin appearing in contracts this November. Most contractors have hardened their networks — far fewer can show an assessor what happened to last year's decommissioned drives. Here's how NIST 800-88 destruction, ITAR technical data rules, and control 3.8.3 fit together, and the evidence you'll need.

By Brian Boynton Published 9 min read ↓ PDF one-sheet

Time until CMMC Phase 2 begins — November 10, 2026

Days
Hours
Minutes
Seconds

TL;DR

CUI on retired hardware is still CUI — and under CMMC Phase 2, contractors must show an assessor what happened to decommissioned drives, not just that the network was hardened.

  • NIST 800-88 destruction, ITAR technical-data rules, and control 3.8.3 work together for retired media.
  • Evidence required: serialized certificates of sanitization and destruction, chain of custody, and qualified downstream.
  • Network hardening does not cover disposition — it is a separate, often-missing evidence chain.
  • CMMC Phase 2 assessments begin appearing in contracts November 10, 2026.

01 / WHAT'S CHANGINGThe honor system ends this November

Since November 10, 2025, new Department of Defense solicitations have carried CMMC requirements — but Phase 1 mostly meant self-assessments. You scoped your environment, scored yourself against NIST SP 800-171, posted the result in SPRS, and affirmed it. The honor system, more or less, still applied.

Phase 2 begins November 10, 2026. From that date, third-party certification by a C3PAO becomes the default requirement for Level 2 in applicable new contracts involving Controlled Unclassified Information. An independent assessor — not you — verifies that all 110 NIST 800-171 controls are actually implemented.

One important nuance that gets lost in vendor marketing: Phase 2 is contract-driven, not a blanket deadline. There is no single date on which every contractor in the Defense Industrial Base must hold a Level 2 certificate. Requirements appear as new solicitations and contract actions are issued. In practice, though, two forces compress the timeline anyway: prime contractors are flowing requirements down to suppliers ahead of the federal schedule, and the pool of authorized C3PAOs is small relative to a supply chain of more than 300,000 companies. Contractors who wait will compete for assessment slots with everyone else who waited.

CMMC implementation phases (32 CFR / 48 CFR rules)
PhaseBeginsWhat it requiresStatus
Phase 1Nov 10, 2025Level 1 & Level 2 self-assessments in applicable solicitations; DoD discretion to require C3PAO Level 2UNDERWAY
Phase 2Nov 10, 2026C3PAO-certified Level 2 becomes the default for applicable CUI contracts; Level 3 available at DoD discretionNEXT
Phase 3Nov 10, 2027Level 3 (DIBCAC-assessed) requirements in applicable solicitations
Phase 4Nov 10, 2028Full implementation across all applicable contracts, including renewals

02 / THE OVERLOOKED CONTROL3.8.3: where disposition meets your assessment

CMMC Level 2 is NIST SP 800-171 — and inside its Media Protection family sits the control that puts IT asset disposition squarely in assessment scope:

NIST SP 800-171, 3.8.3: Sanitize or destroy system media containing CUI before disposal or release for reuse.

It reads like one sentence. In an assessment, it decomposes into questions most organizations can't answer with documents: Which media contained CUI? What method was used to sanitize each piece? Who performed it, and were they qualified? Where is the evidence — serialized, asset-by-asset — that it happened?

The trap is scope. "Media" isn't just server drives. It's the SSDs in retired laptops, the storage in multifunction printers and copiers, USB drives, backup tapes, the eMMC in thin clients, drives inside test and lab equipment, and the laptop a remote employee shipped back eight months ago that's been sitting in a closet since. Every one of those is a CUI container until it's verifiably sanitized — CUI obligations follow the data, not the depreciation schedule.

Related controls compound the requirement: 3.8.1 and 3.8.2 (protect and limit access to media containing CUI), 3.8.5 (control access to media during transport), and the physical protection family all bear on what happens between "this server is decommissioned" and "this server no longer exists." A gap anywhere in that chain is a finding.

03 / THE STANDARDNIST 800-88: Clear, Purge, Destroy — and verify

NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization, is the methodology assessors expect 3.8.3 to be implemented against. It defines three escalating tiers:

Tier 1

Clear

Logical techniques (e.g., overwriting) that protect against simple, non-invasive recovery. Appropriate only when media stays under organizational control at equivalent sensitivity.

Tier 2

Purge

Techniques like cryptographic erase or firmware secure-erase that defeat state-of-the-art laboratory recovery. Requires per-device verification and is media-dependent — what works on one SSD controller may silently fail on another.

Tier 3

Destroy

Shredding, disintegration, or pulverization that renders the media unusable and data recovery infeasible. The defensible default for failed drives, end-of-life media, and high-sensitivity programs.

Two points matter more than the tier names. First, verification is part of the standard — sanitization without documented verification doesn't satisfy 800-88, and a stack of drives someone "ran a wipe on" with no per-serial confirmation is an audit finding waiting to happen. Second, the decision is risk-based: 800-88 directs you to choose the method based on the data's confidentiality and whether the media will leave organizational control. Media leaving your control — which is the definition of disposition — pushes the answer toward Purge with verification or, most defensibly, physical destruction.

04 / THE EXPORT PROBLEMITAR turns a disposal mistake into an export violation

For contractors touching defense articles, there's a second regime stacked on top. ITAR-controlled technical data — drawings, specifications, source code, test data for items on the U.S. Munitions List — remains export-controlled wherever it is stored, including on retired hardware.

That has a sharp consequence for disposition: if a drive containing ITAR technical data is exported for processing, or accessed by a foreign person even domestically, that access can constitute an unauthorized export. The global electronics recycling chain routinely moves untracked material overseas. A pallet of "recycled" servers that ends up at an offshore downstream processor isn't an environmental embarrassment — it's a potential ITAR violation, with civil penalties that run into the hundreds of thousands of dollars per violation, criminal exposure, and debarment risk.

The mitigation is structural, not aspirational: ITAR-adjacent media should be physically destroyed, domestically, under documented chain of custody — ideally witnessed or performed on-site — with destruction certificates that identify each serialized asset. "Our recycler says they handle it" is not a control.

▶ Watch the companion brief: prefer this topic in video form? Our 2-minute Compliance Corner: CMMC & ITAR video covers the essentials — share it with stakeholders who won't read 9 minutes of prose.

05 / THE AUDIT FILEWhat a C3PAO will actually ask to see

Assessments are evidence exercises. For the media protection family, a prepared contractor can produce, on request:

  • A written media sanitization policy mapped to 3.8.3 and NIST 800-88, covering every media type in scope — not just data center drives.
  • Serialized asset-level records tying each retired device to a specific sanitization or destruction event, with date, method, and operator.
  • Certificates of destruction or sanitization from your processor referencing NIST 800-88 methods, per serial number — not a one-line "services rendered" invoice.
  • Chain-of-custody documentation covering transport: who had the media, in what container, from your dock to the destruction event.
  • Vendor qualification evidence — proof your downstream partner is independently certified for data destruction and responsible recycling (R2v3 and NAID AAA are the recognized standards), with downstream flow documented.
  • An incident path — what happens if a drive goes missing in transit, and who gets notified. (Under DFARS 252.204-7012, a lost CUI drive can be a reportable cyber incident.)

Notice that at least four of those six items are things your ITAD vendor either makes possible or makes impossible. An uncertified recycler with no serialized reporting doesn't just create risk — it creates an evidence gap you cannot backfill at assessment time.

06 / THIS QUARTERFive moves to make before Phase 2 contracts arrive

  1. Inventory your media universe. Walk past the data center: printers, lab equipment, remote-employee returns, storage closets, backup tapes. If it can hold CUI, it's in scope.
  2. Map 3.8.3 in your SSP honestly. If your System Security Plan says "media is destroyed per NIST 800-88" but you can't produce last quarter's certificates, fix the process before the assessor finds the gap — false affirmations carry False Claims Act exposure.
  3. Clear the backlog now. Stockpiled retired equipment is unmanaged CUI risk accruing in a closet. Destroy and document it before your assessment window, not during it.
  4. Re-paper your ITAD relationship. Require serialized certificates of destruction, NIST 800-88 method references, chain-of-custody docs, domestic processing for ITAR-touched media, and current R2v3 / NAID AAA certification. If your current vendor can't provide these, that's your answer.
  5. Decide your destruction posture per data class. On-site witnessed destruction for ITAR programs; verified purge or destruction for CUI; documented standard process for everything else. Write it down — the policy is itself evidence.

Make disposition the easiest part of your assessment

CyberCrunch is an R2v3, NAID AAA, RIOS and PA DEP certified ITAD provider serving defense contractors in all 50 states, with on-site and facility-based destruction, serialized NIST 800-88 certificates, and documented chain of custody from your dock to destruction.

07 / FAQCommon questions on CMMC & CUI disposition

Does CMMC require physical destruction of hard drives?
Not always. Control 3.8.3 requires that media containing CUI be sanitized or destroyed before disposal or reuse, and NIST 800-88 defines three acceptable tiers — Clear, Purge, and Destroy. The right tier depends on media type, condition, and whether the asset leaves your control. Physical destruction is the most defensible option for failed drives, end-of-life media, and anything that touched ITAR programs.
What happens to CUI obligations when equipment is retired or resold?
They follow the data, not the asset's accounting status. A decommissioned server or returned remote-work laptop still contains CUI until verifiably sanitized under NIST 800-88. Releasing un-sanitized media outside your control — including to an uncertified recycler — can constitute a reportable incident and undermine your SPRS affirmation.
How does ITAR affect IT asset disposition?
ITAR technical data stored on media remains export-controlled until destroyed. If retired equipment is exported, or accessed by a foreign person at a downstream processor, that access can be deemed an unauthorized export. Require documented domestic processing, verified chain of custody, and serialized destruction certificates for any media that touched ITAR programs.
What disposition documentation will a C3PAO assessor ask for?
A written sanitization policy mapped to 3.8.3, serialized records tying each device to a destruction event, NIST 800-88-referenced certificates per serial number, chain-of-custody documentation, and proof your vendor is qualified — R2v3 and NAID AAA certification is the recognized way to show it.
Is November 10, 2026 a universal CMMC deadline?
No — Phase 2 begins that date, and C3PAO Level 2 becomes the default in applicable new CUI solicitations as they are issued. It's contract-driven, not a single deadline for everyone. But primes are flowing requirements down early and assessor capacity is limited, so the practical timeline is shorter than the regulatory one.

Go deeper: the complete CMMC & ITAD field guide

This brief covers the why. The full 14-section guide covers the how: every disposition-related control with its official SPRS point weight, NIST 800-88 methods by media type (including the SSD trap), the six evidence artifacts C3PAOs sample, scoping for retired assets, subcontractor flowdown, and a 90-day readiness plan.

This article is for general informational purposes and reflects the CMMC program as of June 2026. It is not legal or compliance advice; consult your counsel and registered practitioner for guidance on your specific contracts.