For C3PAO Assessors · CMMC · NIST SP 800-88 · Defense Industrial Base

The Assessor's ITAD Field Guide: The Disposition Evidence Behind a Clean 3.8.3

A short, assessor-facing companion to the disposition-evidence brief. It walks how IT asset disposition is examined across the four CMMC Assessment Process phases, the artifact set that resolves MP.L2-3.8.3, NIST 800-88 by media type, and the deficiency patterns you've already seen — written for the assessment room, not the sales deck.

Reading time: ~12 min Updated: June 15, 2026 Audience: C3PAOs · CCPs · Lead CCAs Applies to: CMMC Level 2 · CAP v2.0

TL;DR

For a CMMC Level 2 assessment, MP.L2-3.8.3 (media sanitization) resolves to MET only when the disposition evidence exists and reconciles asset by asset — there is nothing to coach into a pass.

  • 3.8.3 is binary at sampling: the serialized record either exists and reconciles, or it does not.
  • Assessors examine ITAD across the four CMMC Assessment Process phases.
  • The artifact set: a media-sanitization policy, serialized NIST 800-88 certificates by media type, chain of custody, and qualified downstream (R2v3 / NAID AAA).
  • Deficiencies cluster in predictable patterns — missing serials, method/media mismatch, no reconciliation.
Phase 2 — C3PAO Level 2 certification required in new CUI contracts days November 10, 2026
Section 01

Who this is for

This guide is written for the people doing the assessing — C3PAO leadership, Lead Certified CMMC Assessors, and CCPs — not for the contractors being assessed. Its goal is narrow: to put the IT asset disposition evidence that resolves control 3.8.3 into one place, so you know what "good" looks like before it's in front of you.

Disposition is a small slice of a Level 2 assessment, but a reliably noisy one. The network controls are evidenced on screen; the question at 3.8.3 is physical and historical — where is the proof the drive was destroyed, and can it be traced to a specific asset? With Phase 2 beginning November 10, 2026, the volume of Level 2 certification assessments is climbing, and disposition is where a lot of otherwise-ready files slow down.

NOV 10, 2025

Phase 1 — live

Level 1 and Level 2 self-assessments in applicable new contracts.

NOV 10, 2026

Phase 2 — next

C3PAO Level 2 certification becomes the default for applicable CUI contracts.

NOV 10, 2027

Phase 3

Level 3 (DIBCAC) assessments introduced for the most sensitive programs.

NOV 10, 2028

Phase 4

Full implementation across all applicable DoD contracts and options.

Section 02

The control in scope: 3.8.3

MP.L2-3.8.3 (NIST SP 800-171 §3.8.3): sanitize or destroy system media containing CUI before disposal or release for reuse. The 800-171A guide scores two determination statements — [a] before disposal, and [b] before release for reuse. It rarely travels alone: expect to sample it alongside 3.8.1 / 3.8.2 (protect and limit access to media), 3.8.4 (CUI markings), and 3.8.5 / 3.8.6 (transport and cryptographic protection).

Bottom line

3.8.3 is binary at sampling in a way most controls aren't: the serialized record either exists and reconciles, or it doesn't — and there's nothing to coach into place during the assessment.

Section 03

Disposition across the four CAP phases

The CMMC Assessment Process (CAP) — maintained by The Cyber AB and approved by the CMMC PMO — runs the assessment in four phases. Here's where disposition surfaces in each:

PhaseWhat happens to disposition evidence
1 — Planning / Pre-AssessmentScope confirmed; SSP reviewed; you verify the disposition records exist and are accessible. Not yet evaluated, and no advice may be offered on how to improve them.
2 — ConductExamine policy and certificates, interview the disposition owner, test by tracing a sampled serial end-to-end — scored for adequacy and sufficiency.
3 — ReportingFindings recorded as MET / NOT MET / NOT APPLICABLE; limited deficiencies may close within the window.
4 — POA&M closeoutEligible deficiencies remediated within 180 days — but highest-weighted requirements are not POA&M-eligible.

Scoping sets the terms: assets that store, process, or transmit CUI define what disposition must cover, and a retired CUI asset doesn't leave scope just because it's been unplugged. Asset inventory is the spine — if it can't account for what was retired, the disposition evidence has nothing to reconcile against.

Section 04

The artifact set that resolves it

The evidence that holds up isn't voluminous — it's reconcilable. Work straight down this map:

What you're confirmingArtifactMethod
A defined sanitization standard existsWritten policy mapped to 3.8.3 and NIST 800-88Examine
Each retired device was handledSerialized device-level records reconciled to inventoryExamine / Test
The right method was appliedCertificate citing the 800-88 tier by media typeExamine
Custody was unbrokenChain-of-custody documentation, facility to processorExamine / Interview
The downstream is qualifiedProcessor certifications — R2v3 and NAID AAAExamine
The process runs as describedOwner walks the workflow; a sampled serial traces end-to-endInterview / Test
  • Policy that names 3.8.3 and NIST 800-88 as the method standard
  • A serialized disposition register reconciling 1:1 with inventory retirements
  • Certificates stating the 800-88 tier per media type, per serial
  • Chain-of-custody records with dates and signatures, facility to processor
  • Current R2v3 and NAID AAA certificates for the downstream processor
  • For ITAR-adjacent media: documented domestic processing and serial-level destruction
Section 05

NIST 800-88 by media type

800-88 gives three tiers — Clear, Purge, Destroy. The defensible choice depends on media type, condition, and whether the media is leaving organizational control. A few patterns worth recognizing during examination:

MediaDefensible pathWhat trips people up
HDD (magnetic)Verified Purge (degauss) for reuse; Destroy (shred) for disposal/failedDegaussing renders an HDD inoperable — fine for disposal, not for resale.
SSD / flashCryptographic erase where supported; Destroy for failed or end-of-lifeDegaussing does nothing to flash; a quick format isn't a Purge.
Mobile devicesCrypto-erase via verified factory reset on encrypted devices; else DestroyActivation locks left on don't protect data but signal sloppy process.
Multifunction printers / copiersSanitize or remove and destroy internal storageThe internal drive is routinely missed on lease returns.
Section 06

Deficiency patterns

Most 3.8.3 findings that slide toward NOT MET share a small set of root causes — each visible early in examination:

  • "We use a recycler." A logistics answer, not a sanitization record.
  • Inventory that won't reconcile. Retired assets with no matching disposition event.
  • Deleted treated as destroyed. Format ≠ Purge; flash wear-leveling leaves data behind.
  • Chain-of-custody gaps. No documented hand-off for the window that matters most.
  • Unknown / uncredentialed downstream. No R2v3 or NAID AAA to evidence what happened after pickup.
  • ITAR data meeting a foreign person. Offshore downstream can constitute an unauthorized export.
Section 07

The independence boundary

The reason the upstream choices matter so much is structural. You verify the evidence; you don't design the program, and the rules are explicit that the team offers no advice on improving evidence during the engagement. By the time disposition reaches your sampling, the artifacts are either there or they aren't.

That's exactly why recognized certifications carry weight: R2v3 and NAID AAA let you treat the processor's controls as evidenced rather than reconstructed. A contractor whose ITAD generates serialized, 800-88-mapped, custody-tracked evidence by routine is simply a faster, cleaner file — not because anyone steered them there, but because the records were built right the first time.

About CyberCrunch

What good disposition evidence looks like, by default

CyberCrunch is a certified ITAD and secure data destruction provider headquartered in Greensburg, Pennsylvania, serving all 50 states. We produce serialized certificates of sanitization and destruction citing NIST 800-88 methods, documented chain of custody, domestic processing for ITAR-adjacent media, and witnessed destruction on request — the evidence set that resolves 3.8.3 in the room.

R2v3NAID AAARIOSPA DEP
FAQ

Frequently asked questions

Where does disposition fall in the assessment methods?

All three 800-171A methods apply: examine the policy and certificates, interview the disposition owner, and test by tracing a sampled serial from inventory retirement to its destruction record.

Do retired CUI assets stay in scope?

Yes — an asset that stored or processed CUI remains in-scope media until verifiably sanitized or destroyed. Staging it on a shelf doesn't remove it from scope, which is why inventory must reconcile to disposition events.

What makes a certificate sampleable?

Serialization that reconciles to inventory: the device named by serial, the 800-88 method cited by media type, tied to the retirement entry, and backed by R2v3 and NAID AAA. A pallet-level certificate naming no specific device generally can't be traced.