THE WORKBENCH · SELF-ASSESSMENT

The Readiness Scorer

Ten yes/no questions about how your organization retires data-bearing equipment. Answer honestly — the score is for you, and nothing here is recorded or sent anywhere.

1. A written media sanitization SOP exists and references NIST 800-88.
2. Staged and retired equipment is kept in locked, access-limited storage.
3. Your asset inventory tracks disposition states (live, staged, sanitized, destroyed).
4. Certificates of destruction list each device by serial with method and verification.
5. Ten random retired serials would each reconcile to a certificate line today.
6. Removable media (USB drives, external disks) is inventoried and controlled.
7. Copiers, printers, network gear, and tapes are included in your disposal program.
8. A current due-diligence file exists for your destruction vendor (certs, insurance, downstream).
9. Equipment leaving for repair, RMA, or lease return is sanitized of sensitive data first.
10. Destruction runs on a standing cadence, so no backlog of retired devices accumulates.
0 / 100

What this scorer measures

These ten questions track the media protection and maintenance requirements that CMMC Level 2 assessors evidence-sample most heavily — including the five-point controls 3.8.3 (sanitize media before disposal or reuse) and 3.8.7 (control removable media), which cannot be deferred to a POA&M and must be fully MET on assessment day. The same posture serves HIPAA, GLBA, and general audit readiness: the questions describe a defensible disposition program in any regulated environment.

A high score means your program produces the evidence an assessor samples: a written SOP, controlled storage, disposition states in inventory, serialized certificates that reconcile, controlled removable media, full media coverage, vendor due diligence, pre-maintenance sanitization, and a standing cadence. A low score tells you exactly which artifact to build first — and the Vault has a template for most of them.

CYBERCRUNCH · NAID AAA · R2v3 · RIOS · PA DEP

Whatever your score, here's the working tool.

The one-page ITAD Control Checklist covers all nine controls, the evidence artifacts, and the five-minute self-audit — the companion to this scorer.