CMMC · ITAD · NIST SP 800-88 · Defense Industrial Base

The Media Sanitization Gap: How IT Asset Disposition Makes or Breaks Your CMMC Assessment

Most CMMC guides walk you through firewalls, MFA, and incident response — then wave a hand at what happens when a laptop, server, or copier leaves your building. That hand-wave is a five-point control that cannot go on a POA&M. This guide closes the gap, control by control, from the perspective of a certified ITAD operator.

Reading time: ~38 min Updated: June 11, 2026 Author: Brian Boynton Applies to: CMMC 2.0 · 32 CFR Part 170

TL;DR

Media sanitization (3.8.3) is a five-point CMMC control that cannot go on a POA&M, so how you dispose of retired CUI-bearing hardware can decide a Level 2 assessment.

  • CMMC Phase 2 makes third-party Level 2 certification a condition of award for CUI contracts starting November 10, 2026.
  • Level 2 = all 110 NIST 800-171 requirements, third-party assessed on a 110-point scale with an 80% conditional floor; only one-point gaps can ride a POA&M.
  • ITAD touches at least nine Level 2 requirements across three control families, anchored by five-point 3.8.3.
  • Assessors evaluate them as a chain: storage to access to sanitization to evidence.
Phase 2 — C3PAO Level 2 certification required in new CUI contracts days November 10, 2026
Section 01

Why this matters right now

CMMC stopped being a future problem on November 10, 2025. That day, the 48 CFR acquisition rule took effect and CMMC clauses began appearing in new Department of Defense solicitations and contracts as a condition of award. The program now rolls out in four phases, and the next one is the one that bites.

NOV 10, 2025

Phase 1 — live now

Level 1 and Level 2 self-assessments required in applicable new contracts; affirmations filed in SPRS.

NOV 10, 2026

Phase 2 — the cliff

Third-party (C3PAO) Level 2 certification required for applicable contracts involving CUI.

NOV 10, 2027

Phase 3

Level 3 certification assessments introduced for the most sensitive programs.

NOV 10, 2028

Phase 4

Full implementation: CMMC requirements in all applicable DoD contracts and options.

The math behind the urgency is unforgiving. The Department of Defense estimates that the large majority of Defense Industrial Base organizations handling Controlled Unclassified Information (CUI) — roughly 93% by DoD's own figures — will need Level 2 certification by an accredited Certified Third-Party Assessment Organization (C3PAO). Only about a hundred C3PAOs are authorized to perform those assessments, against well over a hundred thousand organizations that will eventually need one. Assessment calendars are filling through the end of 2026 and beyond. If your next award or recompete lands after November 10, 2026, your real preparation deadline is months earlier than the date on the regulation.

Here is the part most readiness conversations skip. Of the 110 security requirements in a Level 2 assessment, a handful govern what happens to data-bearing devices at the end of their life — when the laptop is refreshed, the server rack is decommissioned, the office consolidates, or the copier lease ends. The anchor requirement, MP.L2-3.8.3 — sanitize or destroy media containing CUI before disposal or release for reuse — is weighted at five points in the DoD Assessment Methodology. Under the CMMC final rule, five-point requirements cannot be placed on a Plan of Action and Milestones at assessment. There is no conditional pass, no 180-day grace window, no "we're working on it." On assessment day, your disposition program is either fully implemented and evidenced, or the requirement is NOT MET.

Meanwhile, your firewall has a vendor, your SIEM has a vendor, your MFA has a vendor — and your retired hard drives are sitting in a cardboard box behind the server room door, waiting for "the recycling guy." This guide exists because that box is where otherwise well-prepared contractors fail.

What follows is written to be used three ways: read straight through as a complete briefing (about 38 minutes), jumped into by section when a specific question arises, or handed to the team member who owns asset disposition as their working reference. Each section opens with its conclusion and stands on its own.

Bottom line

Phase 2 makes third-party Level 2 certification a condition of award for CUI contracts starting November 10, 2026. Media sanitization (3.8.3) is a five-point control that cannot be deferred to a POA&M — your ITAD program must be assessment-ready on day one.

Section 02

CMMC in ten minutes — only what you need

The internet does not need another 4,000-word CMMC explainer. Here is the minimum viable context for everything that follows; if you already live in this world, skip to Section 3.

What CMMC is

The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense's mechanism for verifying that contractors actually implement the cybersecurity requirements they have been contractually obligated to follow for years. The underlying requirements are not new — NIST SP 800-171 has been mandated through DFARS 252.204-7012 since 2017. What changed is enforcement: self-attestation gave way to scored self-assessments in SPRS (the Supplier Performance Risk System), and now, under CMMC, to independent third-party certification for most organizations handling CUI.

The two data types that decide everything

Federal Contract Information (FCI) is information provided by or generated for the government under contract that is not intended for public release — think delivery schedules, contract performance details, internal correspondence about the work. Controlled Unclassified Information (CUI) is the more sensitive tier: unclassified information that law, regulation, or government-wide policy requires be safeguarded — technical drawings, specifications, export-controlled data, and similar. Which of these you touch determines which CMMC level you need, and — critical for this guide — both categories carry a media sanitization obligation at end of life.

The three levels

LevelWho needs itRequirementsHow it's assessed
Level 1Contractors handling FCI only15 basic safeguarding requirements from FAR 52.204-21 — including media sanitization of FCIAnnual self-assessment, affirmed in SPRS
Level 2Contractors handling CUI (the vast majority of the DIB)All 110 requirements of NIST SP 800-171 Rev 2Triennial C3PAO certification assessment for most; self-assessment for a small subset; annual affirmations either way
Level 3Contractors supporting the most sensitive programsLevel 2 plus 24 enhanced requirements from NIST SP 800-172Government-led (DIBCAC) assessment, on top of a Level 2 certification

Scoring, conditional status, and the POA&M trap

Level 2 assessments are scored using the NIST SP 800-171 DoD Assessment Methodology: a perfect score is 110, and each unmet requirement subtracts 1, 3, or 5 points depending on its weight. A contractor can achieve conditional certification status with a score of at least 80% (88 of 110 points) — but only if every unmet item is POA&M-eligible, and the rule restricts POA&Ms to one-point requirements, with narrow exceptions. POA&M items must be closed out within 180 days or conditional status expires. The practical consequence: every three- and five-point requirement must be fully MET on assessment day. Media sanitization is a five-pointer. Remember that; it is the spine of this guide.

One more structural fact

Certification is valid for three years, with annual affirmations of continuing compliance in between. Asset disposition is not a one-time cleanup before the assessor arrives — every refresh cycle, office move, and equipment failure between assessments must generate the same evidence quality, because your affirming official is personally attesting to it each year.

Bottom line

Level 2 = all 110 NIST 800-171 requirements, third-party assessed, scored 110-point scale, 80% conditional floor. Only one-point gaps can ride on a POA&M. Media sanitization is worth five.

Section 03

Where ITAD lives in the 110 controls

IT asset disposition is not one control. It is a thread that runs through the Media Protection family, the Maintenance family, and Physical Protection — and a C3PAO will pull that thread from the moment a device is flagged for retirement until the moment its destruction certificate lands in your evidence folder. Here is the map.

The ITAD Control Ledger — CMMC Level 2Weights per NIST SP 800-171 DoD Assessment Methodology
MP.L2-3.8.3 Sanitize or destroy system media containing CUI before disposal or release for reuse.The anchor. Every retired drive, device, tape, and embedded storage component must be sanitized per NIST SP 800-88 or physically destroyed — with verifiable, serialized evidence. 5 PTSPOA&M ELIGIBLE: NO
MP.L2-3.8.1 Protect (physically control and securely store) media containing CUI, paper and digital.Covers the dangerous middle: drives pulled but not yet destroyed must live in locked, access-controlled storage — not a cardboard box in the IT closet. 3 PTS
MP.L2-3.8.2 Limit access to CUI on media to authorized users.Who can touch the staged-for-destruction inventory? Access lists and logs apply to retired media just as they do to live systems. 3 PTS
MP.L2-3.8.4 Mark media with necessary CUI markings and distribution limitations.Retired media bins and transport containers holding CUI-bearing drives inherit marking obligations. 1 PT
MP.L2-3.8.5 Control access and maintain accountability for media during transport outside controlled areas.This is chain of custody, named as a federal requirement: sealed containers, transfer logs, signed handoffs, and tracking from your dock to the destruction floor. 1 PT
MP.L2-3.8.6 Cryptographic protection of CUI on media during transport, unless otherwise physically safeguarded.Full-disk encryption on fleet devices pays off twice: in transit protection now, and a stronger sanitization story later via cryptographic erase. 1 PT
MA.L2-3.7.3 Sanitize equipment removed for off-site maintenance of any CUI.The forgotten cousin of 3.8.3: the RMA'd server, the leased copier going back for repair, the laptop sent to a depot. If it leaves with CUI on board, it failed this control before it left the dock. 1 PT
MP.L2-3.8.9 Protect the confidentiality of backup CUI at storage locations.Backup tapes and removable backup drives are media. They age out, and when they do, they flow into the same sanitization pipeline — or they are a finding waiting to happen. 1 PT
PE / 3.10.x Physical Protection family — limit and escort physical access, control physical access devices, safeguard equipment.Governs who walks your staged equipment out the door. Unescorted recycler pickups inside a CUI environment are an assessor's favorite observation. VARIES

Three things to internalize from the ledger. First, the weight distribution is not an accident. The DoD Assessment Methodology assigns five points to requirements whose absence creates direct, exploitable exposure of CUI. An unsanitized drive leaving your custody is exactly that — it is a data breach with a shipping label. Second, the controls chain together. An assessor evaluating 3.8.3 will naturally walk backwards through 3.8.1 (where were the drives stored while awaiting destruction?), 3.8.2 (who had access?), and 3.8.5 (how did they travel?). Weakness in one exposes the others. Third, this is a Level 1 issue too. FAR 52.204-21 — the basis of CMMC Level 1 — includes sanitizing or destroying media containing FCI before disposal or reuse. Even the contractor who never touches CUI is affirming, annually and under signature, that disposal-stage sanitization happens.

If you take one action from this entire guide, make it this: open your System Security Plan (SSP) and read what it currently says for 3.8.3, 3.8.1, 3.8.5, and 3.7.3. If the implementation statement says something like "drives are wiped before disposal" with no method, no standard, no evidence reference, and no named process owner — that is not an implementation statement, it is a placeholder, and a C3PAO will treat it as one.

Bottom line

ITAD touches at least nine Level 2 requirements across three control families, anchored by five-point 3.8.3. Assessors evaluate them as a chain: storage → access → transport → sanitization → evidence.

Section 04

Your retired assets are in scope — the boundary nobody draws

CMMC scoping determines which assets get assessed. Contractors spend enormous energy drawing that boundary around live infrastructure — enclaves, VDI, segmented VLANs — and then forget that the boundary has a fourth dimension: time. An asset that processed CUI does not exit your assessment scope when you power it off. It exits when its media is sanitized or destroyed, with proof.

The lifecycle view of scope

Under the CMMC scoping methodology, assets that process, store, or transmit CUI are CUI Assets, full stop. The verb tense matters less than contractors wish it did: a decommissioned file server stores CUI right up until the moment its drives are sanitized. The retirement pile in your storage room is not "old equipment" — it is an unsegmented collection of CUI Assets with no active monitoring, often no inventory, and frequently no locked door. Viewed through an assessor's eyes, it may be the least protected CUI repository in your entire environment.

The practical implication: your asset inventory must track devices through disposition, not just through deployment. A defensible inventory answers, for every data-bearing asset that ever lived inside the CUI boundary: where is it right now, what state is its media in (live / staged for sanitization / sanitized / destroyed), and what document proves the final state? When an assessor samples your inventory — and sampling inventory against destruction records is a standard assessment technique — every retired serial number needs a corresponding line in a sanitization log or certificate of destruction. Gaps between "we bought 200 laptops in 2022" and "we can evidence the disposition of 147 of them" are exactly the kind of discrepancy that turns a smooth assessment into a long one.

Three scoping decisions that change your ITAD program

1. Enclave strategies don't shrink the disposal problem as much as you think. Many contractors reduce scope by confining CUI to an enclave — a segmented network, a VDI environment, a GCC High tenant. Sensible. But endpoints that accessed the enclave, caching appliances, print devices serving enclave users, and any machine that ever lived inside the boundary before the enclave existed still carry disposition obligations. The enclave shrinks your live scope; your historical scope is whatever the data actually touched.

2. "Specialized Assets" still die someday. The scoping guidance gives lighter treatment to certain categories — IoT, government property, test equipment — but lighter assessment treatment in life does not mean exemption at death. A piece of test equipment with internal storage that captured CUI telemetry needs end-of-life sanitization like anything else.

3. Encryption changes your sanitization options, not your obligations. Fleet-wide full-disk encryption (BitLocker, FileVault, self-encrypting drives) is the single best thing you can do for future disposition, because it unlocks cryptographic erase as a NIST 800-88 purge method — destroy the keys, and the ciphertext on disk becomes computationally unrecoverable. But CE is only defensible if you can evidence that encryption was actually enforced on that specific device for its whole CUI-bearing life, that the key destruction occurred, and that it was verified. "We think BitLocker was on" is not a sanitization method.

Assessor's-eye view

When a C3PAO tours your facility, the storage room with stacked towers and a milk crate of loose drives is not background scenery. Expect the questions: What's on these? Where did they come from? Who has key access? How long have they been here? What's the disposition plan? If the answers are shrugs, you've just turned a tour into a finding.

Bottom line

Scope follows the data through time. Track every CUI-touching asset to a documented end state, and treat the staging area for retired equipment with the same rigor as a server room — because to an assessor, that's what it is.

Section 05

Clear, Purge, Destroy: NIST 800-88 decisions by media type

When CMMC assessment guidance asks how you sanitize media, the answer it expects is framed in NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization — the federal playbook that defines three escalating sanitization categories and, crucially, requires verification and documentation for all of them.

The three categories, in one paragraph each

Clear applies logical techniques — typically a factory reset or a single-pass overwrite using the device's standard read/write commands — to protect against simple, non-invasive recovery attempts. Clear is generally appropriate when media stays under your organization's control for reuse, not when it leaves.

Purge applies physical or logical techniques that make data recovery infeasible even with state-of-the-art laboratory methods. Purge methods include firmware-level sanitize commands (block erase, the ATA/NVMe sanitize feature set), cryptographic erase (destroying the encryption keys on an encrypted drive), and degaussing for magnetic media. Purged media can generally be released outside organizational control — which is why purge is the practical floor for CUI-bearing media entering an ITAD channel for resale or reuse.

Destroy renders the media unusable and data recovery infeasible: shredding, disintegration, pulverizing, incineration. Destruction is the terminal option — there is no device left to reuse — and it is the default answer when media is damaged, when purge can't be verified, when the device type resists reliable purging, or when your risk tolerance simply says so.

The decision logic in 800-88 turns on two questions: how sensitive is the data, and is the media leaving organizational control? For CUI, the answer to the first question is "moderate confidentiality at minimum," and at end of life the answer to the second is almost always "yes." That combination points to purge or destroy — never clear alone — for anything exiting your environment.

The decision table

Media typeViable purge methodsDestroy methodsWhat trips people up
Magnetic HDDs (desktops, servers, SAN/NAS)ATA Secure Erase / sanitize commands with verification; degaussing (NSA-listed degausser); cryptographic erase if FDE was enforcedShredding, disintegrationDegaussing destroys the drive's servo data — a degaussed HDD is dead, so plan on destruction economics, not resale. Failed/clicking drives can't be overwritten and must be destroyed.
SSDs & NVMe (laptops, servers, M.2)Sanitize / block-erase commands with verification; cryptographic erase with evidence of enforced encryptionShredding to reduced particle size appropriate for flash; disintegrationDegaussing does nothing — flash is electrical, not magnetic. Software overwrites are unreliable: wear leveling and overprovisioned cells leave regions an overwrite never reaches. Standard HDD shred sizes can leave intact flash chips; flash demands finer particles.
Mobile devices (phones, tablets)Factory reset on devices with hardware-backed, always-on encryption effectively functions as cryptographic erase — verify model behavior and MDM confirmationShredding/disintegration of the device or logic boardBYOD muddies evidence. Activation locks (Find My iPhone, FRP) left on don't protect data but destroy resale value and signal sloppy process.
Backup tape (LTO et al.)Degaussing with an appropriately rated degausserIncineration, shredding/disintegrationTape libraries hold hundreds of cartridges with multi-year retention; barcode-level reconciliation against the destruction manifest is the only way to prove completeness.
Optical media (CD/DVD/Blu-ray)None practicalShredding/disintegration designed for optical media; incinerationIt hides in desk drawers and old project boxes. Sweep for it during office moves.
Copiers / MFPs / printersVendor data-overwrite kits where available and verifiablePull and destroy the internal drive/flash before the unit leavesLeased units go back to the lessor by default — with every scanned document still on the internal drive unless your lease addendum and process say otherwise. See Section 6.
Network & security appliances (switches, routers, firewalls, VPN concentrators)Documented full configuration wipe / factory reset; sanitize internal storage where presentDestroy internal storage mediaConfigs aren't CUI, but they are a roadmap to the network that protects CUI — credentials, keys, topology. Treat them as sensitive at end of life.
Removable media (USB drives, SD cards, external HDDs)Sanitize commands where supported; CE if encryptedShredding/disintegration — usually the rational choice given unit valueThe control problem (3.8.7/3.8.8) is bigger than the sanitization problem: if you can't inventory them, you can't evidence their destruction.

Verification and documentation are part of the method

NIST 800-88 is explicit that sanitization without verification is incomplete. For logical methods, that means confirming the operation succeeded — sampling sectors after an overwrite, confirming sanitize-command completion status, validating that a cryptographically erased drive returns ciphertext garbage. For destruction, verification means witnessing or video, and confirmation that particle output meets specification. And every sanitization event should produce a record capturing, at minimum: media type, make/model/serial, sanitization method and tool used, verification method, operator, and date. That record — multiplied across every device you retire — is the evidence base for Section 7.

The SSD trap, one more time

The single most common technical failure we see in DIY disposition programs: a multi-pass overwrite tool from the HDD era, pointed at SSDs, producing a confident report that means very little — followed by degaussing "just to be sure," which means nothing at all. If your sanitization SOP doesn't distinguish flash from magnetic media, it predates your fleet.

Bottom line

For CUI leaving your control: purge or destroy, never clear alone. Match the method to the physics of the media — especially for flash — verify every operation, and document every device by serial number.

Section 06

The forgotten media inventory

Laptops and servers get disposition plans. The findings come from everything else. Run this list against your environment before an assessor does — it is built from the places data actually hides in defense contractors' facilities.

  • Copier and MFP internal drives. Every networked copier built in the last two decades contains a hard drive or flash storage caching scans, prints, and faxes. If CUI has ever crossed the glass, that drive is a CUI asset. Leased units returning to the lessor are the classic exit path for unsanitized data — negotiate drive retention or certified sanitization into the lease, in writing.
  • Printers with spool storage. Higher-end printers cache jobs the same way. Check spec sheets for internal storage before any unit leaves.
  • Backup tapes and rotation drives in off-site storage. The set you sent to the records vendor in 2019 still exists. Retention schedules end; when they do, the tapes need a documented destruction path, not indefinite drift.
  • Network gear configurations. Switches, routers, firewalls, and wireless controllers hold credentials, keys, SNMP strings, and topology. Factory-reset and verify before resale or recycling.
  • VoIP phones and conference systems. Many cache directories, call logs, and credentials for the systems behind them.
  • Embedded storage in test, lab, and manufacturing equipment. Oscilloscopes, CMMs, CNC controllers, data-acquisition systems — anything that captured measurements or programs related to a defense article may hold CUI or export-controlled data on internal media that nobody has ever enumerated.
  • Medical-grade or specialized imaging devices in facilities that have them — internal drives, always.
  • Badge, access-control, and camera systems. DVR/NVR units and access controllers store footage and personnel data relevant to your Physical Protection evidence; decommission them deliberately.
  • Spares, RMA returns, and the drawer of loose drives. Every IT department has the drawer. Pulled drives from upgrades, half-dead disks "kept for parts," the predecessor admin's archive. Inventory it, sanitize it, close it out.
  • Employee-departure devices. Laptops from separations sitting in "hold" status for months — often with litigation-hold ambiguity — need a tracked state in your inventory, locked storage (3.8.1), and an eventual documented disposition.
  • Optical media and USB sticks in project archives. Sweep physical project files, especially for long-running programs that predate your current controls.
  • Cloud-adjacent on-prem caches. Hybrid backup appliances, storage gateways, and sync appliances hold local copies of whatever the cloud holds. They're media too.

The pattern behind the list: storage follows function, not form factor. Anything that scans, prints, measures, records, routes, or caches probably persists data somewhere, and procurement never told the security team about it. The fix is structural — add a "data-bearing components" determination to your asset-intake process so every device enters the inventory with its storage already enumerated, and end-of-life surprises stop being surprises.

Bottom line

Build your media inventory from device function, not device category. The copier, the test bench, and the drawer of loose drives are all in scope — and assessors know to ask about all three.

Section 07

What your C3PAO actually wants to see

CMMC assessments run on objective evidence: examine artifacts, interview people, test processes. For the disposition controls, "we have a vendor who handles that" is an interview answer with no artifact behind it. Here is the evidence package, document by document, that turns 3.8.3 from a conversation into a MET.

1. Policy and procedure — the paper spine

A media protection policy stating that media containing CUI is sanitized or destroyed before disposal or reuse, referencing NIST SP 800-88, and assigning ownership; plus an operational SOP that a technician could actually follow — how devices are flagged for retirement, where they're staged, who authorizes destruction, which methods apply to which media types, and how records are filed. Assessors read the SOP, then interview the person who executes it, then check that the artifacts match. Drift between the three is itself a finding.

2. Asset inventory with disposition states

The inventory from Section 4: every data-bearing asset traceable to a current state, with retired assets reconciled to sanitization or destruction records by serial number. Expect sampling. If the assessor picks ten retired serials, you want ten matching certificate lines, not eight and an apology.

3. Serialized certificates of destruction or sanitization

The core artifact. A defensible certificate includes: unique certificate number and date; itemized list of media with make, model, and serial number for every unit; media type; sanitization or destruction method (mapped to 800-88 — e.g., "NVMe sanitize, block erase, verified" or "shredded, ≤ particle specification"); verification method; equipment or software used; name and signature of the performing technician; and the performing company's identity and certifications. Aggregate certificates ("1 lot of assorted drives, destroyed") are common in the recycling industry and nearly worthless as CMMC evidence — no serial numbers, no reconciliation; no reconciliation, no proof.

4. Chain-of-custody records (3.8.5's artifact)

For media that leaves your facility before destruction: itemized transfer manifests signed at each handoff, sealed/locked container documentation with seal numbers, transport tracking, and receipt confirmation at the destruction facility with intake reconciliation against the outbound manifest. The gold standard alternative is on-site destruction — the mobile shred truck in your parking lot — which collapses the custody chain to a single witnessed event and lets your own staff serve as the verifier.

5. Vendor due-diligence file

If a third party performs destruction, your assessment includes the question "how do you know they do it properly?" The file that answers it: current certification status (NAID AAA with the relevant media endorsements, R2v3), certificates of insurance, the service agreement with data-protection and breach-notification terms, downstream-handling commitments, and your periodic review records. An ITAD vendor doesn't hold its own CMMC certificate — your controlled relationship with the vendor, plus the vendor's independent certifications, is the control.

6. Training and witness records

Evidence that staff who handle retired media were trained on the SOP, and — for higher-assurance setups — witness logs or video records of destruction events. Witnessed destruction converts a vendor's claim into your organization's first-hand observation.

A note from the restoration trenches

We have rebuilt clients' certificates of destruction from damaged photographs because the originals were lost and an audit was looming. Treat destruction certificates like the compliance instruments they are: digitized on receipt, indexed by serial number, backed up, and retained for at least the life of your certification cycle plus contract-mandated retention. A certificate you can't produce is a destruction that didn't happen, as far as an assessor is concerned.

Bottom line

Six artifacts make the case: policy, SOP, stateful inventory, serialized certificates, chain-of-custody manifests, and a vendor due-diligence file. Serial-number reconciliation is the thread that ties them together — and the first thing a C3PAO pulls.

Section 08

Subcontractors: flowdown finds you

If you are a 20-person machine shop, a specialty coatings house, or a niche engineering firm that has never held a prime contract, CMMC still arrives at your door — through your prime. Requirements flow down to every tier that handles FCI or CUI, and primes must verify subcontractor status before CUI moves downstream.

The mechanics: when a prime's contract carries a CMMC requirement, the prime flows the appropriate level down to subcontractors based on what information they will receive. Receive only FCI, and Level 1 self-assessment obligations follow. Receive CUI — a drawing, a spec, a technical data package — and Level 2 follows, with the C3PAO certification requirement arriving for most as Phase 2 contracts roll through. Primes are already sending questionnaires and contract amendments ahead of the November 2026 line, because their own award eligibility depends on a compliant supply chain. Many small subs will feel CMMC through a prime's procurement portal months before they ever see it in a government solicitation.

For small organizations, the disposition controls are a paradox: operationally, they are among the easiest of the 110 to satisfy; practically, they are among the least likely to exist. A small shop rarely has a media destruction process at all — old computers go to the e-waste day at the township, get handed down to the front office, or sit in the attic above the shop floor. None of those paths survives contact with 3.8.3. The good news is that this gap, unlike an MFA rollout or a SIEM deployment, can be closed in weeks: inventory data-bearing assets including the machines driving your CNC and inspection equipment, designate locked staging for anything retired, engage a certified destruction provider for serialized service, and write the one-page SOP that ties it together. For a small environment, the entire media protection story can be built and evidenced inside a quarter — see the 90-day plan.

One more flowdown subtlety: your evidence becomes your prime's risk surface. Primes burned by supply-chain findings increasingly ask subs not just "are you compliant?" but "show us your destruction certificates." A clean, serialized evidence file is becoming a competitive answer to a procurement question, not just an assessment artifact.

Bottom line

CMMC reaches subcontractors through prime flowdown, often ahead of the regulatory dates. For small subs, the disposition controls are the fastest 110-point ground to secure — weeks, not months — and primes are already asking for the evidence.

Section 09

Where contractors stumble: four patterns from the field

Composite scenarios — details changed, patterns real. Each one is a failure mode we see repeatedly in environments preparing for, or recovering from, an assessment.

Pattern 01

The storeroom of Schrödinger's drives

A 300-person electronics manufacturer passes its mock assessment handily on network controls. During the facility walk-through, the assessor opens a storage room: four pallets of decommissioned towers and a bin of pulled drives, accumulating since a 2023 refresh. No inventory, no lock distinct from general facilities access, no disposition timeline. The drives almost certainly hold CUI from the programs the machines supported.

Lesson: 3.8.1 and 3.8.3 fail together. "Awaiting disposal" is a controlled state with an owner and a deadline, or it's a finding.

Pattern 02

The certificate that certified nothing

A defense sub proudly produces its evidence for 3.8.3: a one-page letter from a local recycler stating "all material received has been recycled in an environmentally responsible manner." No serial numbers, no method, no mention of data, no certifications held by the recycler. The sub's inventory shows 63 retired laptops; the letter could refer to any of them, or none.

Lesson: an environmental recycling receipt is not a data destruction certificate. Serialized, method-specific, verifiable — or it doesn't count.

Pattern 03

The degaussed SSDs

An IT team with a strong HDD-era process runs every retired drive through their wipe-then-degauss pipeline and files tidy internal logs. Two-thirds of the recent fleet is NVMe. The overwrite tool reports success it can't guarantee on flash, and the degausser contributes nothing but noise. The logs are immaculate documentation of an ineffective method.

Lesson: process maturity is not method validity. Sanitization SOPs need a media-type decision tree, reviewed as the fleet evolves.

Pattern 04

The copier went home

A program office returns three leased MFPs at end of term. Months later, during CMMC preparation, someone asks what happened to the internal drives. The lessor's refurbishment chain is opaque; the lease is silent on data; the units scanned program documents for four years. There is no incident to report — and no way to prove there isn't.

Lesson: leased equipment needs a data clause at signing and a drive-handling step at return. After the truck leaves, your options are gone.

The common thread: none of these organizations was negligent in spirit. Each had a process that made sense at some point, for some fleet, under some assumptions — and nobody owned the question of whether those assumptions still held. Disposition fails quietly, in storage rooms and lease returns, which is precisely why assessors go looking there.

Bottom line

The four killers: uncontrolled staging, non-serialized certificates, media-method mismatch, and third-party equipment leaving with data aboard. Every one is preventable with ownership and a current SOP.

Section 10

In-house destruction vs. certified vendor: the honest comparison

Can you satisfy 3.8.3 entirely in-house? Yes — the standard permits it. Should you? For most contractors, the arithmetic says no, and the reason isn't the destruction. It's the evidence.

The visible costs of in-house destruction are manageable enough to be tempting: sanitization software, perhaps a drive crusher or a small shredder, staff hours. The costs that decide the question are quieter. Verification competence: someone must validate sanitize-command completion, maintain the media-type decision tree, and keep pace with drive technology — an ongoing engineering responsibility, not a one-time purchase. Evidence production: serialized records, signatures, retention, reconciliation — clerical work that erodes first when IT gets busy, and the artifact trail is the control. Physical destruction limits: a bench-top crusher handles drives; it does not handle the copier fleet, the tape library, or 400 assets from an office consolidation. Liability concentration: done in-house, every gap is solely yours; a certified vendor brings its own audited process, insurance, and downstream accountability into your risk picture. And value recovery is real money left on the table: certified sanitization with audit trails enables compliant remarketing of newer equipment — resale value that offsets program cost, which a DIY destroy-everything approach forfeits along with the documentation burden it was trying to avoid.

The honest hybrid that many mid-size contractors land on: cryptographic erase or sanitize commands in-house at decommission time (an immediate risk reduction the moment a device exits service), followed by certified third-party destruction or audited remarketing as the documented terminal step. You get defense in depth, and the vendor's serialized certificate becomes the assessment artifact.

Bottom line

In-house destruction is permitted but concentrates verification burden, evidence production, and liability on your team. For most contractors, certified destruction — possibly layered over in-house sanitize-at-decommission — is cheaper once evidence quality is priced in.

Section 11

Choosing an ITAD partner: the criteria that matter for CMMC

Every recycler will tell you your data is safe. The questions below separate marketing from evidence — ask them in writing, and keep the answers in your vendor due-diligence file.

Non-negotiables

  • NAID AAA certification for data destruction, with endorsements covering your media types (hard drives, SSDs/non-paper media, on-site and/or plant-based as applicable). NAID AAA involves scheduled and unannounced audits of destruction processes, employee screening, and access controls — it is the destruction-industry credential assessors recognize on sight.
  • R2v3 certification (or e-Stewards) for the electronics recycling and resale side — governing downstream accountability, data security in the refurbishment chain, and environmental handling. R2v3's data sanitization appendix aligns with NIST 800-88.
  • Serialized reporting as standard practice — per-device capture of make, model, and serial, with certificates that reconcile against your manifest. Ask to see a sample certificate before you sign anything; you will learn more from that one document than from the sales deck.
  • Documented chain of custody — sealed containers, transfer manifests, tracked transport, intake reconciliation — that maps directly onto your 3.8.5 evidence.

Strong differentiators

  • On-site destruction capability. Mobile shredding at your facility collapses the custody chain and lets your staff witness and sign. For high-sensitivity programs, this is the cleanest possible 3.8.3 story.
  • Witness and video options for off-site destruction.
  • U.S.-only processing and personnel controls. If your environment includes export-controlled technical data (ITAR), foreign-person access to data-bearing equipment is itself a deemed-export problem. Ask where processing occurs, who performs it, and what the downstream chain looks like — and get it in the agreement.
  • Method transparency by media type — a vendor who can articulate their flash-vs-magnetic decision tree unprompted is a vendor who has read 800-88; one who answers "we shred everything, it's fine" may be right about the shredding and wrong about the particle spec.
  • Insurance and contract terms: professional liability covering data events, breach notification obligations, and audit rights.
  • Value recovery with compliance intact — audited remarketing programs that return resale value on newer assets without compromising the evidence chain. (If your organization directs recovered value to charitable purposes, structured remarketing can even feed a giving program — retired IT as found money.)
  • Nationwide service under one evidence format. Multi-site contractors using a different local recycler at each facility end up with five certificate formats, five due-diligence files, and five times the reconciliation work. One provider, one format, one file.

Red flags

  • Free or "we pay you, no paperwork" pickup with vague data handling — the business model is resale, and your drives are the inventory.
  • Certificates without serial numbers, or issued before destruction actually occurs.
  • No certifications, or "certified" claims that turn out to mean a self-issued document.
  • Refusal to disclose downstream vendors or processing locations.
  • Brokered destruction — your vendor subcontracts the actual work to parties you've never vetted.
Bottom line

Demand NAID AAA + R2v3, serialized certificates, documented custody, and straight answers on processing location and methods. The sample certificate is the single most revealing artifact in vendor selection.

Section 12

The 90-day readiness plan

If your C3PAO assessment — or your prime's questionnaire — is on the horizon, here is the disposition workstream, sequenced. It deliberately front-loads risk elimination: the fastest way to make the problem smaller is to make the backlog disappear.

Days 1–15: See the whole problem

  • Sweep every facility for retired and orphaned data-bearing assets — including the forgotten media list. Photograph, count, and serialize what you find.
  • Reconcile findings against your asset inventory; flag every device with no documented disposition.
  • Move everything staged for disposal into locked, access-limited storage with a sign-out log (instant 3.8.1/3.8.2 improvement).
  • Pull your current SSP language for 3.8.1–3.8.6, 3.7.3, and 3.8.9. Mark every statement you cannot currently evidence.

Days 16–45: Clear the backlog, close the paper gap

  • Engage a certified destruction provider for a backlog purge — serialized, with chain-of-custody documentation, witnessed or on-site if feasible.
  • Reconcile the resulting certificates against your inventory, line by line, and file the evidence package.
  • Draft or rewrite the media sanitization SOP with a media-type decision tree (flash vs. magnetic vs. tape vs. embedded), named owner, and staging/authorization workflow.
  • Open the vendor due-diligence file: certifications, insurance, agreement terms, downstream disclosures.

Days 46–75: Make it an operating rhythm

  • Add disposition states to the asset inventory (live / staged / sanitized / destroyed / remarketed) and integrate with your refresh workflow so devices can't exit without a state change.
  • Add data clauses and drive-handling steps to copier/printer leases and maintenance agreements; brief whoever manages RMAs on 3.7.3.
  • Train IT and facilities staff on the SOP; record the training.
  • Update SSP implementation statements to describe the real process, with pointers to the evidence locations.

Days 76–90: Prove it to yourself first

  • Run an internal sampling exercise: pick ten retired serials at random and trace each to its certificate. Fix whatever breaks.
  • Walk the facility as an assessor would. Open the storage rooms. Ask the awkward questions.
  • Schedule the standing destruction cadence (quarterly is typical for mid-size environments) so the backlog never re-forms between now and your next annual affirmation.
Bottom line

Ninety days is enough: sweep and secure (15), purge the backlog with serialized evidence (30), operationalize (30), self-audit (15). The controls reward exactly this kind of unglamorous, documented discipline.

Section 13

Frequently asked questions

Does CMMC require certificates of destruction?

Not by that name — CMMC requires that media containing CUI be sanitized or destroyed before disposal or reuse (MP.L2-3.8.3), and assessments require objective evidence of implementation. Serialized certificates of destruction or sanitization are the standard form of that evidence: per-device serial numbers, the NIST SP 800-88 method used, verification, operator, and date. A certificate without serial numbers cannot be reconciled to your inventory and carries little evidentiary weight.

Which CMMC controls cover IT asset disposal?

The anchor is MP.L2-3.8.3 (sanitize or destroy before disposal/reuse). The supporting cast: 3.8.1 and 3.8.2 (secure storage and limited access for staged media), 3.8.4 (marking), 3.8.5 (chain of custody in transport), 3.8.6 (cryptographic protection in transport), MA.L2-3.7.3 (sanitize equipment leaving for off-site maintenance), 3.8.9 (backup media), and the 3.10 physical protection family. CMMC Level 1 includes the FCI version of media sanitization via FAR 52.204-21.

Can media sanitization go on a POA&M?

No. MP.L2-3.8.3 carries a five-point weight in the DoD Assessment Methodology, and the CMMC final rule limits assessment POA&Ms to one-point requirements (with narrow exceptions). 3.8.3 must be fully implemented and evidenced on assessment day — there is no conditional path through this control.

Is degaussing enough for SSDs?

No. Degaussing eliminates magnetic fields; flash memory stores data electrically and is unaffected. For SSDs and NVMe drives, NIST 800-88 purge options are firmware sanitize/block-erase commands with verification, or cryptographic erase where encryption was enforced — otherwise, physical destruction with particle sizes appropriate for flash chips. Software overwriting alone is also unreliable on SSDs due to wear leveling and overprovisioning.

Does CMMC Level 1 include media sanitization?

Yes. Level 1 incorporates FAR 52.204-21's basic safeguarding requirements, which include sanitizing or destroying media containing Federal Contract Information before disposal or release for reuse. Level 1 contractors self-assess annually and affirm in SPRS — and the affirming official is personally attesting that this happens.

Are retired computers in my CMMC assessment scope?

If a device ever processed, stored, or transmitted CUI, its media remains a CUI asset until sanitized or destroyed with documentation. Powered-off equipment in storage is in scope; assessors routinely sample retired serial numbers from the asset inventory and ask for the corresponding destruction evidence.

Does my ITAD vendor need its own CMMC certification?

No — ITAD vendors aren't certified under CMMC. But if a vendor takes custody of CUI-bearing media, that service is inside your assessment story, and you must evidence a controlled relationship: due diligence on the vendor's certifications (NAID AAA, R2v3), contractual data-protection terms, chain-of-custody procedures, and serialized destruction evidence. The vendor's independent certifications plus your oversight are what the assessor evaluates.

How long does Level 2 certification last, and what does that mean for disposition?

Three years, with annual affirmations of continuing compliance. Practically: every refresh cycle, equipment failure, and office change in those three years must produce the same evidence quality as the assessment-day baseline, because your affirming official re-attests annually. Disposition is an operating rhythm, not a pre-assessment cleanup.

What about ITAR and export-controlled data on retired equipment?

If your CUI includes export-controlled technical data, foreign-person access to that data — including by recycling-chain workers — can constitute a deemed export. Your disposition channel should provide U.S.-based processing, personnel controls, and downstream transparency. Ask your vendor directly where equipment is processed and by whom, and put the answer in the agreement.

Section 14

Where CyberCrunch fits

Everything above is standard-driven: NIST SP 800-88 methods, serialized evidence, documented custody, certified processes. We wrote it that way deliberately, because the requirements don't care who your vendor is — only whether the evidence holds. That said, the criteria in Section 11 describe what we built CyberCrunch to be.

CyberCrunch · Nationwide ITAD & Certified Data Destruction

Make 3.8.3 the easiest control in your assessment.

CyberCrunch provides NIST 800-88-aligned data destruction and IT asset disposition for defense contractors and their supply chains in all 50 states — on-site and plant-based shredding, serialized certificates of destruction reconciled to your manifest, documented chain of custody, witnessed destruction options, and U.S.-based processing. Headquartered in Greensburg, PA, with nationwide service coverage under a single evidence format.

NAID AAAR2v3RIOSPA DEPALL 50 STATES

Preparing for a Phase 2 assessment or answering a prime's flowdown questionnaire? We'll review your current disposition evidence against the controls in this guide — inventory reconciliation, certificate quality, custody documentation — and show you exactly what an assessor will see.

This guide is provided for general informational purposes and reflects the CMMC program as of June 2026. It is not legal advice, and it does not substitute for the official program documents: 32 CFR Part 170, the CMMC assessment and scoping guides, NIST SP 800-171, and NIST SP 800-88 Rev. 1. Confirm requirements against your specific contracts and solicitations.