MA.L2-3.7.3

MA.L2-3.7.3: Equipment Sanitization

Sanitize equipment containing CUI before removal from your facility for maintenance or repairs to prevent data exposure.

Equipment leaves your building. A hard drive goes to the vendor for warranty work. A printer needs repair. If CUI is on that equipment and it’s not sanitized first, it walks out the door. This is straightforward: sanitize before it leaves, document it, track the equipment.

Family Maintenance
Practice MA.L2-3.7.3
Difficulty Medium
Key evidence Sanitization procedure, equipment logs, sanitization records

What the assessor is actually evaluating

The assessor wants to know: (1) You have a procedure that says CUI equipment gets sanitized before leaving. (2) You track equipment that leaves. (3) You can show sanitization was completed or verified. You don’t need a forensic-grade wipe on every item. You need a defensible process.

The key phrase: equipment “containing or potentially containing CUI.” If your servers hold customer data, they get sanitized. If a printer is on a network that handles CUI, it should be. If a workstation was used to process contracts, it should be. Equipment sanitization connects to broader system maintenance (MA.L2-3.7.1) and complements physical protection controls (PE.L2-3.10.1) and media protection requirements (MP.L2-3.8.1).

What a realistic SSP definition looks like

MA.L2-3.7.3 Equipment Sanitization

All equipment containing or potentially containing CUI that leaves [Company] premises for maintenance undergoes sanitization before departure. Sanitization methods are appropriate to equipment type:

  • Servers and storage: Full disk wipe using [tool/method] or vendor certification
  • Workstations: Hard drive wipe or drive removal
  • Network devices: Memory clear per manufacturer specs
  • Printers: Local storage cleared per procedure

Equipment departing for service is logged in [inventory system] with sanitization method and date. Vendor repair authorization includes requirement to not reinstall systems or access drives.

How to present your evidence

Gather these items:
  • Sanitization procedure document (when to sanitize, what methods, approval)
  • Equipment departure log or work order system showing sanitized equipment
  • Sanitization records (tool output, date, technician initials, or vendor certificate)
  • Vendor communication confirming they won't reinstall OS or access drives
  • Examples of recent maintenance (last 6-12 months) showing the process in action
Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "Do you sanitize equipment before sending it for repair?" A: "Yes. We have a procedure. Anything that could have CUI on it gets wiped before it leaves." [Pull up procedure]

Q: “Can you show me an example?" A: “[Date], we sent server [model] for warranty repair. We wiped the drives using [tool]. Here’s the log.” [Pull up equipment log and sanitization record]

Q: “What if a vendor says they need to test it as-is?" A: “We sanitize first. We confirm with the vendor that they won’t reinstall the system.”

Common failures

No procedure or ad-hoc process. Equipment gets sent out as-is. Someone should have sanitized it, but it's not a formal step. Assessors can't verify your process. Document it.
No tracking. You sanitize, but you don't keep records. A week later, you can't prove the hard drive was wiped before it left. Keep a log tied to work orders or maintenance tickets.
Sanitization too aggressive. You're wiping equipment that doesn't contain CUI. Classify what needs sanitization first. Not everything has to be wiped, only equipment that handled CUI.
You're good here. You have a clear procedure that identifies CUI equipment. Before any equipment leaves, it's logged and sanitized using appropriate methods. You keep records and can show recent examples. Assessors verify the process is followed and move on.
Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Practical tips

For hard drives, use a free tool like DBAN (Darik’s Boot and Nuke) or manufacturer-provided tools. Document the run.

For servers under warranty, contact the vendor and ask their sanitization expectation. Many will certify the drive was wiped. Get that in writing.

For network devices (routers, switches), clearing memory via reset is often sufficient. Check the manufacturer guide.

For printers, most have local storage. Check the manual. If it’s networked, reset it to defaults or work with the vendor.

Track equipment by serial number. Link the sanitization record to the work order or ticket.

If you use an MSP/MSSP

If your MSP handles equipment maintenance, specify in the contract that they must sanitize or verify sanitization before sending equipment off-site. Get them to provide sanitization documentation or vendor certificates. Add this to your equipment maintenance log.

This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← MA.L2-3.7.4: Media Inspection All Practices MA.L2-3.7.2: Maintenance Tools →