01 / WHAT'S CHANGINGThe honor system ends this November
Since November 10, 2025, new Department of Defense solicitations have carried CMMC requirements — but Phase 1 mostly meant self-assessments. You scoped your environment, scored yourself against NIST SP 800-171, posted the result in SPRS, and affirmed it. The honor system, more or less, still applied.
Phase 2 begins November 10, 2026. From that date, third-party certification by a C3PAO becomes the default requirement for Level 2 in applicable new contracts involving Controlled Unclassified Information. An independent assessor — not you — verifies that all 110 NIST 800-171 controls are actually implemented.
One important nuance that gets lost in vendor marketing: Phase 2 is contract-driven, not a blanket deadline. There is no single date on which every contractor in the Defense Industrial Base must hold a Level 2 certificate. Requirements appear as new solicitations and contract actions are issued. In practice, though, two forces compress the timeline anyway: prime contractors are flowing requirements down to suppliers ahead of the federal schedule, and the pool of authorized C3PAOs is small relative to a supply chain of more than 300,000 companies. Contractors who wait will compete for assessment slots with everyone else who waited.
| Phase | Begins | What it requires | Status |
|---|---|---|---|
| Phase 1 | Nov 10, 2025 | Level 1 & Level 2 self-assessments in applicable solicitations; DoD discretion to require C3PAO Level 2 | UNDERWAY |
| Phase 2 | Nov 10, 2026 | C3PAO-certified Level 2 becomes the default for applicable CUI contracts; Level 3 available at DoD discretion | NEXT |
| Phase 3 | Nov 10, 2027 | Level 3 (DIBCAC-assessed) requirements in applicable solicitations | |
| Phase 4 | Nov 10, 2028 | Full implementation across all applicable contracts, including renewals |
02 / THE OVERLOOKED CONTROL3.8.3: where disposition meets your assessment
CMMC Level 2 is NIST SP 800-171 — and inside its Media Protection family sits the control that puts IT asset disposition squarely in assessment scope:
It reads like one sentence. In an assessment, it decomposes into questions most organizations can't answer with documents: Which media contained CUI? What method was used to sanitize each piece? Who performed it, and were they qualified? Where is the evidence — serialized, asset-by-asset — that it happened?
The trap is scope. "Media" isn't just server drives. It's the SSDs in retired laptops, the storage in multifunction printers and copiers, USB drives, backup tapes, the eMMC in thin clients, drives inside test and lab equipment, and the laptop a remote employee shipped back eight months ago that's been sitting in a closet since. Every one of those is a CUI container until it's verifiably sanitized — CUI obligations follow the data, not the depreciation schedule.
Related controls compound the requirement: 3.8.1 and 3.8.2 (protect and limit access to media containing CUI), 3.8.5 (control access to media during transport), and the physical protection family all bear on what happens between "this server is decommissioned" and "this server no longer exists." A gap anywhere in that chain is a finding.
03 / THE STANDARDNIST 800-88: Clear, Purge, Destroy — and verify
NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization, is the methodology assessors expect 3.8.3 to be implemented against. It defines three escalating tiers:
Clear
Logical techniques (e.g., overwriting) that protect against simple, non-invasive recovery. Appropriate only when media stays under organizational control at equivalent sensitivity.
Purge
Techniques like cryptographic erase or firmware secure-erase that defeat state-of-the-art laboratory recovery. Requires per-device verification and is media-dependent — what works on one SSD controller may silently fail on another.
Destroy
Shredding, disintegration, or pulverization that renders the media unusable and data recovery infeasible. The defensible default for failed drives, end-of-life media, and high-sensitivity programs.
Two points matter more than the tier names. First, verification is part of the standard — sanitization without documented verification doesn't satisfy 800-88, and a stack of drives someone "ran a wipe on" with no per-serial confirmation is an audit finding waiting to happen. Second, the decision is risk-based: 800-88 directs you to choose the method based on the data's confidentiality and whether the media will leave organizational control. Media leaving your control — which is the definition of disposition — pushes the answer toward Purge with verification or, most defensibly, physical destruction.
04 / THE EXPORT PROBLEMITAR turns a disposal mistake into an export violation
For contractors touching defense articles, there's a second regime stacked on top. ITAR-controlled technical data — drawings, specifications, source code, test data for items on the U.S. Munitions List — remains export-controlled wherever it is stored, including on retired hardware.
That has a sharp consequence for disposition: if a drive containing ITAR technical data is exported for processing, or accessed by a foreign person even domestically, that access can constitute an unauthorized export. The global electronics recycling chain routinely moves untracked material overseas. A pallet of "recycled" servers that ends up at an offshore downstream processor isn't an environmental embarrassment — it's a potential ITAR violation, with civil penalties that run into the hundreds of thousands of dollars per violation, criminal exposure, and debarment risk.
The mitigation is structural, not aspirational: ITAR-adjacent media should be physically destroyed, domestically, under documented chain of custody — ideally witnessed or performed on-site — with destruction certificates that identify each serialized asset. "Our recycler says they handle it" is not a control.
05 / THE AUDIT FILEWhat a C3PAO will actually ask to see
Assessments are evidence exercises. For the media protection family, a prepared contractor can produce, on request:
- A written media sanitization policy mapped to 3.8.3 and NIST 800-88, covering every media type in scope — not just data center drives.
- Serialized asset-level records tying each retired device to a specific sanitization or destruction event, with date, method, and operator.
- Certificates of destruction or sanitization from your processor referencing NIST 800-88 methods, per serial number — not a one-line "services rendered" invoice.
- Chain-of-custody documentation covering transport: who had the media, in what container, from your dock to the destruction event.
- Vendor qualification evidence — proof your downstream partner is independently certified for data destruction and responsible recycling (R2v3 and NAID AAA are the recognized standards), with downstream flow documented.
- An incident path — what happens if a drive goes missing in transit, and who gets notified. (Under DFARS 252.204-7012, a lost CUI drive can be a reportable cyber incident.)
Notice that at least four of those six items are things your ITAD vendor either makes possible or makes impossible. An uncertified recycler with no serialized reporting doesn't just create risk — it creates an evidence gap you cannot backfill at assessment time.
06 / THIS QUARTERFive moves to make before Phase 2 contracts arrive
- Inventory your media universe. Walk past the data center: printers, lab equipment, remote-employee returns, storage closets, backup tapes. If it can hold CUI, it's in scope.
- Map 3.8.3 in your SSP honestly. If your System Security Plan says "media is destroyed per NIST 800-88" but you can't produce last quarter's certificates, fix the process before the assessor finds the gap — false affirmations carry False Claims Act exposure.
- Clear the backlog now. Stockpiled retired equipment is unmanaged CUI risk accruing in a closet. Destroy and document it before your assessment window, not during it.
- Re-paper your ITAD relationship. Require serialized certificates of destruction, NIST 800-88 method references, chain-of-custody docs, domestic processing for ITAR-touched media, and current R2v3 / NAID AAA certification. If your current vendor can't provide these, that's your answer.
- Decide your destruction posture per data class. On-site witnessed destruction for ITAR programs; verified purge or destruction for CUI; documented standard process for everything else. Write it down — the policy is itself evidence.
Make disposition the easiest part of your assessment
CyberCrunch is an R2v3, NAID AAA, RIOS and PA DEP certified ITAD provider serving defense contractors in all 50 states, with on-site and facility-based destruction, serialized NIST 800-88 certificates, and documented chain of custody from your dock to destruction.
07 / FAQCommon questions on CMMC & CUI disposition
Does CMMC require physical destruction of hard drives?
What happens to CUI obligations when equipment is retired or resold?
How does ITAR affect IT asset disposition?
What disposition documentation will a C3PAO assessor ask for?
Is November 10, 2026 a universal CMMC deadline?
Go deeper: the complete CMMC & ITAD field guide
This brief covers the why. The full 14-section guide covers the how: every disposition-related control with its official SPRS point weight, NIST 800-88 methods by media type (including the SSD trap), the six evidence artifacts C3PAOs sample, scoping for retired assets, subcontractor flowdown, and a 90-day readiness plan.
This article is for general informational purposes and reflects the CMMC program as of June 2026. It is not legal or compliance advice; consult your counsel and registered practitioner for guidance on your specific contracts.