In short
A short reference for CMMC assessors: how disposition evidence is examined across the assessment phases, the serialized NIST 800-88 certificates and chain of custody that resolve MP.L2-3.8.3, and why an R2v3 + NAID AAA downstream reduces assessment friction.
Prefer to read it?
Full transcript · What a Clean 3.8.3 Looks Like: Disposition Evidence for CMMC Assessors
In a Level 2 assessment, most controls are network hygiene you can examine on screen. Then you reach disposition — MP.L2-3.8.3, media sanitization — a control that's small on paper and slow in the room. It scores two objectives, sanitizing or destroying media before disposal and before reuse, and at sampling it's binary: the serialized record either reconciles to inventory, or the objective is under-evidenced.
Three references frame a clean finding. Control 3.8.3 requires media containing CUI be sanitized or destroyed before disposal or release for reuse. NIST SP 800-88 supplies the method — Clear, Purge, or Destroy, chosen by media type and whether it's leaving organizational control, with the certificate citing which. And the CMMC Assessment Process examines, interviews, and tests whether the evidence is adequate for a sampled device. Together they answer one question: can a sampled serial be traced from the asset inventory to a method-specific certificate of destruction?
A clean file is four artifacts tied to one serial: a written media-sanitization policy that names 3.8.3 and NIST 800-88; a device register that reconciles 1:1 with the inventory's retirement entries; a certificate of sanitization or destruction citing the 800-88 tier per serial; and chain of custody from facility to a downstream qualified through R2v3 and NAID AAA.
Upstream choices matter because an assessor verifies evidence rather than designing it — by sampling, the artifacts are either there or they aren't, and they can't be coached into existence. When the downstream is R2v3 and NAID AAA with serialized 800-88 certificates and chain of custody, 3.8.3 resolves in the room rather than in a follow-up request. With C3PAO Level 2 certification becoming the default for applicable CUI contracts, disposition evidence gets sampled far more often.