Who this is for
This guide is written for the people doing the assessing — C3PAO leadership, Lead Certified CMMC Assessors, and CCPs — not for the contractors being assessed. Its goal is narrow: to put the IT asset disposition evidence that resolves control 3.8.3 into one place, so you know what "good" looks like before it's in front of you.
Disposition is a small slice of a Level 2 assessment, but a reliably noisy one. The network controls are evidenced on screen; the question at 3.8.3 is physical and historical — where is the proof the drive was destroyed, and can it be traced to a specific asset? With Phase 2 beginning November 10, 2026, the volume of Level 2 certification assessments is climbing, and disposition is where a lot of otherwise-ready files slow down.
Phase 1 — live
Level 1 and Level 2 self-assessments in applicable new contracts.
Phase 2 — next
C3PAO Level 2 certification becomes the default for applicable CUI contracts.
Phase 3
Level 3 (DIBCAC) assessments introduced for the most sensitive programs.
Phase 4
Full implementation across all applicable DoD contracts and options.
The control in scope: 3.8.3
MP.L2-3.8.3 (NIST SP 800-171 §3.8.3): sanitize or destroy system media containing CUI before disposal or release for reuse. The 800-171A guide scores two determination statements — [a] before disposal, and [b] before release for reuse. It rarely travels alone: expect to sample it alongside 3.8.1 / 3.8.2 (protect and limit access to media), 3.8.4 (CUI markings), and 3.8.5 / 3.8.6 (transport and cryptographic protection).
3.8.3 is binary at sampling in a way most controls aren't: the serialized record either exists and reconciles, or it doesn't — and there's nothing to coach into place during the assessment.
Disposition across the four CAP phases
The CMMC Assessment Process (CAP) — maintained by The Cyber AB and approved by the CMMC PMO — runs the assessment in four phases. Here's where disposition surfaces in each:
| Phase | What happens to disposition evidence |
|---|---|
| 1 — Planning / Pre-Assessment | Scope confirmed; SSP reviewed; you verify the disposition records exist and are accessible. Not yet evaluated, and no advice may be offered on how to improve them. |
| 2 — Conduct | Examine policy and certificates, interview the disposition owner, test by tracing a sampled serial end-to-end — scored for adequacy and sufficiency. |
| 3 — Reporting | Findings recorded as MET / NOT MET / NOT APPLICABLE; limited deficiencies may close within the window. |
| 4 — POA&M closeout | Eligible deficiencies remediated within 180 days — but highest-weighted requirements are not POA&M-eligible. |
Scoping sets the terms: assets that store, process, or transmit CUI define what disposition must cover, and a retired CUI asset doesn't leave scope just because it's been unplugged. Asset inventory is the spine — if it can't account for what was retired, the disposition evidence has nothing to reconcile against.
The artifact set that resolves it
The evidence that holds up isn't voluminous — it's reconcilable. Work straight down this map:
| What you're confirming | Artifact | Method |
|---|---|---|
| A defined sanitization standard exists | Written policy mapped to 3.8.3 and NIST 800-88 | Examine |
| Each retired device was handled | Serialized device-level records reconciled to inventory | Examine / Test |
| The right method was applied | Certificate citing the 800-88 tier by media type | Examine |
| Custody was unbroken | Chain-of-custody documentation, facility to processor | Examine / Interview |
| The downstream is qualified | Processor certifications — R2v3 and NAID AAA | Examine |
| The process runs as described | Owner walks the workflow; a sampled serial traces end-to-end | Interview / Test |
- Policy that names 3.8.3 and NIST 800-88 as the method standard
- A serialized disposition register reconciling 1:1 with inventory retirements
- Certificates stating the 800-88 tier per media type, per serial
- Chain-of-custody records with dates and signatures, facility to processor
- Current R2v3 and NAID AAA certificates for the downstream processor
- For ITAR-adjacent media: documented domestic processing and serial-level destruction
NIST 800-88 by media type
800-88 gives three tiers — Clear, Purge, Destroy. The defensible choice depends on media type, condition, and whether the media is leaving organizational control. A few patterns worth recognizing during examination:
| Media | Defensible path | What trips people up |
|---|---|---|
| HDD (magnetic) | Verified Purge (degauss) for reuse; Destroy (shred) for disposal/failed | Degaussing renders an HDD inoperable — fine for disposal, not for resale. |
| SSD / flash | Cryptographic erase where supported; Destroy for failed or end-of-life | Degaussing does nothing to flash; a quick format isn't a Purge. |
| Mobile devices | Crypto-erase via verified factory reset on encrypted devices; else Destroy | Activation locks left on don't protect data but signal sloppy process. |
| Multifunction printers / copiers | Sanitize or remove and destroy internal storage | The internal drive is routinely missed on lease returns. |
Deficiency patterns
Most 3.8.3 findings that slide toward NOT MET share a small set of root causes — each visible early in examination:
- "We use a recycler." A logistics answer, not a sanitization record.
- Inventory that won't reconcile. Retired assets with no matching disposition event.
- Deleted treated as destroyed. Format ≠ Purge; flash wear-leveling leaves data behind.
- Chain-of-custody gaps. No documented hand-off for the window that matters most.
- Unknown / uncredentialed downstream. No R2v3 or NAID AAA to evidence what happened after pickup.
- ITAR data meeting a foreign person. Offshore downstream can constitute an unauthorized export.
The independence boundary
The reason the upstream choices matter so much is structural. You verify the evidence; you don't design the program, and the rules are explicit that the team offers no advice on improving evidence during the engagement. By the time disposition reaches your sampling, the artifacts are either there or they aren't.
That's exactly why recognized certifications carry weight: R2v3 and NAID AAA let you treat the processor's controls as evidenced rather than reconstructed. A contractor whose ITAD generates serialized, 800-88-mapped, custody-tracked evidence by routine is simply a faster, cleaner file — not because anyone steered them there, but because the records were built right the first time.
What good disposition evidence looks like, by default
CyberCrunch is a certified ITAD and secure data destruction provider headquartered in Greensburg, Pennsylvania, serving all 50 states. We produce serialized certificates of sanitization and destruction citing NIST 800-88 methods, documented chain of custody, domestic processing for ITAR-adjacent media, and witnessed destruction on request — the evidence set that resolves 3.8.3 in the room.
Frequently asked questions
Where does disposition fall in the assessment methods?
All three 800-171A methods apply: examine the policy and certificates, interview the disposition owner, and test by tracing a sampled serial from inventory retirement to its destruction record.
Do retired CUI assets stay in scope?
Yes — an asset that stored or processed CUI remains in-scope media until verifiably sanitized or destroyed. Staging it on a shelf doesn't remove it from scope, which is why inventory must reconcile to disposition events.
What makes a certificate sampleable?
Serialization that reconciles to inventory: the device named by serial, the 800-88 method cited by media type, tied to the retirement entry, and backed by R2v3 and NAID AAA. A pallet-level certificate naming no specific device generally can't be traced.