FOR CMMC ASSESSORS · WHAT GOOD DISPOSITION EVIDENCE LOOKS LIKE MP.L2-3.8.3 · SANITIZE OR DESTROY BEFORE DISPOSAL OR REUSE SERIALIZED NIST 800-88 CERTIFICATES RECONCILED TO ASSET INVENTORY EXAMINE · INTERVIEW · TEST R2v3 · NAID AAA QUALIFIED DOWNSTREAM MET ON THE FIRST PASS FOR CMMC ASSESSORS · WHAT GOOD DISPOSITION EVIDENCE LOOKS LIKE MP.L2-3.8.3 · SANITIZE OR DESTROY BEFORE DISPOSAL OR REUSE SERIALIZED NIST 800-88 CERTIFICATES
ITAD · DISPOSITION EVIDENCE FOR ASSESSORS
Video Library Resource Hub
SCENE 01 / 07
MUSIC ON
// COMPLIANCE CORNER · FOR CMMC ASSESSORS

When you reach 3.8.3,
the question changes.
Not “is it configured?”
but “where’s the proof?”

// MOST OF A LEVEL 2 ASSESSMENT IS NETWORK HYGIENE YOU CAN EXAMINE ON SCREEN
// THEN DISPOSITION — A CONTROL THAT'S SMALL ON PAPER AND SLOW IN THE ROOM
// THE SERIALIZED RECORD IS EITHER THERE — OR IT ISN'T
// QUICK PRIMER

Three references. One clean finding.

3.8.3
MP.L2-3.8.3 — Media Sanitization

Sanitize or destroy system media containing CUI before disposal or release for reuse. Two objectives are scored: [a] before disposal, [b] before reuse.

800-88
NIST SP 800-88 — Sanitization Methods

Clear, Purge, or Destroy — chosen by media type, condition, and whether the media is leaving organizational control. The certificate should cite which.

CAP
CMMC Assessment Process

Examine, interview, and test — the methods used to verify the disposition evidence is adequate and sufficient for a sampled device.

// Together they answer one question: can a sampled serial be traced from the asset inventory to a method-specific certificate of destruction?
// WHERE DISPOSITION SITS IN THE ASSESSMENT

Small control. Loud failure.

PHASE 1
Verify it exists

In planning, you confirm the disposition records exist and are accessible — not yet evaluated, and no advice may be offered on improving them.

PHASE 2
Examine · interview · test

Trace a sampled serial from its inventory retirement entry to a method-specific certificate of destruction — scored for adequacy and sufficiency.

NOV 10, 2026
Phase 2 raises the stakes

C3PAO Level 2 certification becomes the default for applicable CUI contracts — and disposition evidence gets sampled far more often.

// 3.8.3 is binary at sampling: the serialized record reconciles to inventory, or the objective is under-evidenced.
// WHAT A CLEAN FILE LOOKS LIKE

Four artifacts. One serial.

01 / POLICY

Mapped to 3.8.3

A written media-sanitization policy that names control 3.8.3 and NIST 800-88 as the method standard.

02 / REGISTER

Serialized to inventory

Device-level records that reconcile 1:1 with the asset inventory's retirement entries.

03 / CERTIFICATE

Method by media type

A certificate of sanitization or destruction citing the 800-88 tier — per serial.

04 / CUSTODY

Facility to processor

Chain of custody, plus a downstream qualified through R2v3 and NAID AAA.

// WHY UPSTREAM CHOICES MATTER

You verify evidence. You don’t design it.

01

The independence boundary.

By the time disposition reaches your sampling, the artifacts are either there or they aren't — and they can't be coached into existence during the assessment.

// EXAMINE · INTERVIEW · TEST · NO ADVICE
02

A faster, cleaner file.

When the downstream is R2v3 and NAID AAA with serialized 800-88 certificates and chain of custody, 3.8.3 resolves in the room — not in a follow-up request.

// SERIALIZED · RECONCILABLE · SAMPLEABLE
// THE NUMBERS THAT FRAME 3.8.3

Binary at sampling.

0
Level 2 assessment objectives — 3.8.3 is one
// ACROSS 110 NIST 800-171 REQUIREMENTS
0
NIST 800-88 tiers: Clear, Purge, Destroy
// METHOD CHOSEN BY MEDIA TYPE
// CITED ON THE CERTIFICATE
NIST 800-0
The media sanitization standard, cited per serial
// R2v3 · NAID AAA DOWNSTREAM
// CYBERCRUNCH · DISPOSITION EVIDENCE

Built to be sampled. Not reconstructed.

SERIALIZED 800-88 DESTRUCTION · CHAIN OF CUSTODY · R2v3 · NAID AAA · GREENSBURG, PA

Disclaimer. Figures, projections, statistics, and examples shown in this video are for illustrative purposes only and do not constitute a guarantee or offer. Actual results vary based on factors specific to each engagement. Case studies reflect past client engagements and are not predictive of future outcomes. Compliance claims reference CyberCrunch's certifications and procedures at the time of publication — CMMC, ITAR, and other requirements applicable to your organization should be validated by your own legal, compliance, and procurement teams. Program terms, pricing, and service levels are governed by CyberCrunch Terms of Service, and our Privacy Policy applies. All rights reserved. Visit ccrcyber.com for more information.

◀◀  DRAG TO SEEK  ▶▶
Paused · click to resume
Read the transcript

In short

A short reference for CMMC assessors: how disposition evidence is examined across the assessment phases, the serialized NIST 800-88 certificates and chain of custody that resolve MP.L2-3.8.3, and why an R2v3 + NAID AAA downstream reduces assessment friction.

Prefer to read it?

Full transcript · What a Clean 3.8.3 Looks Like: Disposition Evidence for CMMC Assessors

In a Level 2 assessment, most controls are network hygiene you can examine on screen. Then you reach disposition — MP.L2-3.8.3, media sanitization — a control that's small on paper and slow in the room. It scores two objectives, sanitizing or destroying media before disposal and before reuse, and at sampling it's binary: the serialized record either reconciles to inventory, or the objective is under-evidenced.

Three references frame a clean finding. Control 3.8.3 requires media containing CUI be sanitized or destroyed before disposal or release for reuse. NIST SP 800-88 supplies the method — Clear, Purge, or Destroy, chosen by media type and whether it's leaving organizational control, with the certificate citing which. And the CMMC Assessment Process examines, interviews, and tests whether the evidence is adequate for a sampled device. Together they answer one question: can a sampled serial be traced from the asset inventory to a method-specific certificate of destruction?

A clean file is four artifacts tied to one serial: a written media-sanitization policy that names 3.8.3 and NIST 800-88; a device register that reconciles 1:1 with the inventory's retirement entries; a certificate of sanitization or destruction citing the 800-88 tier per serial; and chain of custody from facility to a downstream qualified through R2v3 and NAID AAA.

Upstream choices matter because an assessor verifies evidence rather than designing it — by sampling, the artifacts are either there or they aren't, and they can't be coached into existence. When the downstream is R2v3 and NAID AAA with serialized 800-88 certificates and chain of custody, 3.8.3 resolves in the room rather than in a follow-up request. With C3PAO Level 2 certification becoming the default for applicable CUI contracts, disposition evidence gets sampled far more often.