THE CRUNCH · EPISODE 26 · 0:32 · DEFENSE & GOVERNMENT

MET on the First Pass

THE CRUNCH · EP 26
TAP TO PAUSE
PAUSED — TAP TO RESUME
Tap ♫ for music
Or keep scrolling — the full text is below
0:32 runtimeFully captioned · music optionalDrag the top bar to seekEpisode 26 of 26

Prefer to read it?

In a CMMC Level 2 assessment, media sanitization control 3.8.3 is binary in a way most controls aren't: the serialized disposition record either exists, or it doesn't. There's no configuration to re-check and nothing to coach into place during the assessment.

The team examines the policy and certificates, interviews the disposition owner, and tests by tracing a sampled serial from its inventory retirement entry to its destruction record. When that evidence already exists — a certificate naming the device by serial, citing the NIST 800-88 method by media type, backed by chain of custody and a downstream qualified through R2v3 and NAID AAA — the objective resolves in minutes.

"We use a recycler" answers the logistics question, not the evidence question. CyberCrunch produces serialized, sampleable disposition evidence by default — so 3.8.3 is a clean MET on the first pass, not a follow-up request.

CYBERCRUNCH · NAID AAA · R2v3 · RIOS · PA DEP

Disposition evidence built to be sampled.

Serialized NIST 800-88 destruction, documented chain of custody, qualified downstream — the evidence set that resolves 3.8.3 in the room.