Equipment leaves your building. A hard drive goes to the vendor for warranty work. A printer needs repair. If CUI is on that equipment and it’s not sanitized first, it walks out the door. This is straightforward: sanitize before it leaves, document it, track the equipment.
What the assessor is actually evaluating
The assessor wants to know: (1) You have a procedure that says CUI equipment gets sanitized before leaving. (2) You track equipment that leaves. (3) You can show sanitization was completed or verified. You don’t need a forensic-grade wipe on every item. You need a defensible process.
The key phrase: equipment “containing or potentially containing CUI.” If your servers hold customer data, they get sanitized. If a printer is on a network that handles CUI, it should be. If a workstation was used to process contracts, it should be. Equipment sanitization connects to broader system maintenance (MA.L2-3.7.1) and complements physical protection controls (PE.L2-3.10.1) and media protection requirements (MP.L2-3.8.1).
What a realistic SSP definition looks like
All equipment containing or potentially containing CUI that leaves [Company] premises for maintenance undergoes sanitization before departure. Sanitization methods are appropriate to equipment type:
- Servers and storage: Full disk wipe using [tool/method] or vendor certification
- Workstations: Hard drive wipe or drive removal
- Network devices: Memory clear per manufacturer specs
- Printers: Local storage cleared per procedure
Equipment departing for service is logged in [inventory system] with sanitization method and date. Vendor repair authorization includes requirement to not reinstall systems or access drives.
How to present your evidence
- Sanitization procedure document (when to sanitize, what methods, approval)
- Equipment departure log or work order system showing sanitized equipment
- Sanitization records (tool output, date, technician initials, or vendor certificate)
- Vendor communication confirming they won't reinstall OS or access drives
- Examples of recent maintenance (last 6-12 months) showing the process in action
Common failures
No procedure or ad-hoc process. Equipment gets sent out as-is. Someone should have sanitized it, but it's not a formal step. Assessors can't verify your process. Document it.
No tracking. You sanitize, but you don't keep records. A week later, you can't prove the hard drive was wiped before it left. Keep a log tied to work orders or maintenance tickets.
Sanitization too aggressive. You're wiping equipment that doesn't contain CUI. Classify what needs sanitization first. Not everything has to be wiped, only equipment that handled CUI.
You're good here. You have a clear procedure that identifies CUI equipment. Before any equipment leaves, it's logged and sanitized using appropriate methods. You keep records and can show recent examples. Assessors verify the process is followed and move on.
If you use an MSP/MSSP
If your MSP handles equipment maintenance, specify in the contract that they must sanitize or verify sanitization before sending equipment off-site. Get them to provide sanitization documentation or vendor certificates. Add this to your equipment maintenance log.
Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.
Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.
Q&A: What the assessor asks
Q: “Can you show me an example?" A: “[Date], we sent server [model] for warranty repair. We wiped the drives using [tool]. Here’s the log.” [Pull up equipment log and sanitization record]
Q: “What if a vendor says they need to test it as-is?" A: “We sanitize first. We confirm with the vendor that they won’t reinstall the system.”
This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.