What this scorer measures
These ten questions track the media protection and maintenance requirements that CMMC Level 2 assessors evidence-sample most heavily — including the five-point controls 3.8.3 (sanitize media before disposal or reuse) and 3.8.7 (control removable media), which cannot be deferred to a POA&M and must be fully MET on assessment day. The same posture serves HIPAA, GLBA, and general audit readiness: the questions describe a defensible disposition program in any regulated environment.
A high score means your program produces the evidence an assessor samples: a written SOP, controlled storage, disposition states in inventory, serialized certificates that reconcile, controlled removable media, full media coverage, vendor due diligence, pre-maintenance sanitization, and a standing cadence. A low score tells you exactly which artifact to build first — and the Vault has a template for most of them.