Most companies get this wrong. Sanitization sounds technical, but it’s actually straightforward. When a device containing CUI leaves your organization, you either wipe the drive or destroy it. You document it. You get a receipt. Done.
MP.L2-3.8.3 At a Glance
- Track which devices contain CUI before disposal or reuse
- Wipe hard drives using NIST SP 800-88 compliant methods or destroy them physically
- Use cryptographic erasure (encryption key destruction) for encrypted drives
- Obtain certificates of destruction from vendors
- Document all sanitization activities
- Include sanitization in device retirement procedures
What the assessor is actually evaluating
The assessor will ask: “What happens when you retire a laptop?” If you say “we wipe it” they’ll ask for the wipe report. If you say “we don’t know” you fail. If you say “we take it to a recycling place” they’ll ask if you have a certificate showing it was wiped. If you don’t, you fail.
This is where cloud environments have a hidden advantage. Your laptops might have CUI cached on them, but your primary data is in Azure or AWS. You still need to wipe the laptop, but you’re not dealing with a data center full of decommissioned servers. A small contractor with five laptops is fine. A manufacturing company with 200 computers in the field needs a procedure.
Here’s the reality. You have two choices. Option one: cryptographic erasure. If every device is encrypted (and they should be), you destroy the encryption key when the device is retired. That renders all data unrecoverable without the key. Option two: overwrite with zeros (DBAN, Eraser, Kingston Secure Erase, etc.). This takes longer but is DoD-approved. Option three: physical destruction. Drill a hole through the drive or send it to a shredding service. This costs more but it’s the safest. Media sanitization ties to MP.L2-3.8.1 (media protection) and MA.L2-3.7.3 (equipment sanitization during maintenance).
Small contractors usually go with cryptographic erasure because their devices are already encrypted for other reasons. A startup doesn’t need to hire a specialist to drill holes in drives. When a laptop is retired, you revoke the BitLocker key or destroy the FileVault recovery key. The data is gone. Get a screenshot showing the key is deleted. That’s your certificate.
What a realistic SSP definition looks like
Example SSP Language
"Organization sanitizes media containing CUI before reuse or disposal through the following procedures:
Primary Method (Encrypted Devices): All organizational laptops, desktops, and external drives are encrypted using BitLocker (Windows) or FileVault (Mac). When a device is retired, the encryption key is destroyed in Active Directory or Apple iCloud Keychain. A screenshot showing key deletion is maintained in the retirement log. Once the key is deleted, data cannot be recovered.
Secondary Method (Unencrypted Media): Any unencrypted media (rare in our environment) is wiped using DBAN (NIST SP 800-88 compliant) with at least one full pass of zeros overwrite. Wipe tool reports are retained.
Physical Destruction: External hard drives and older media are sent to certified e-waste recycling vendors who provide certificates of destruction. Certificates include serial number, destruction method, and date.
Procedure: Device retirement begins with data backup (if needed) and verification that data is replicated to cloud storage. IT then sanitizes the drive, documents the action with timestamp and method, and obtains proof (key deletion screenshot, wipe report, or destruction certificate). The device leaves the facility only after sanitization is confirmed in the retirement checklist."
How to present your evidence
Evidence Checklist for MP.L2-3.8.3
- Device Inventory: List of all retired devices with serial numbers and sanitization method used
- Encryption Key Deletion Records: Screenshots or logs showing encryption keys were destroyed (if using cryptographic erasure)
- Wipe Tool Reports: DBAN, Eraser, or vendor-specific reports showing drives were overwritten
- Certificates of Destruction: From e-waste vendors showing devices/drives were physically destroyed
- Device Retirement Checklists: Signed off forms confirming sanitization was completed before device left the building
- Data Destruction Logs: Backup media (tapes, external drives) that have reached end-of-life and were sanitized
- Vendor Contracts: Agreements with e-waste or destruction services specifying NIST SP 800-88 compliance
Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.
What You'll Hear in the Assessment Room
Assessor: "Walk me through your device retirement process. What happens when a laptop is no longer needed?"
What works: "We have a checklist. IT backs up any unsaved files, revokes the BitLocker key in Active Directory, confirms the drive is unrecoverable, and documents it. Only then does the device leave the building." [Pull up retirement checklist]
Assessor: "I'll need to see evidence that this actually happened. Show me a recent retirement."
What works: "Last month we retired this laptop. Here's the Active Directory log showing the BitLocker key was deleted on March 1st. Here's the signed off-boarding form." [Pull up logs and checklist]
Assessor: "What if the drive fails and you can't use software to wipe it?"
What works: "We send failed drives to [Vendor Name] for physical destruction. Here's a certificate showing this drive from last year was destroyed." [Pull up physical destruction certificate]
Assessor: "What about media in backups? How old is your backup retention?"
What works: "We keep backups for 90 days. After that, the backup media is wiped or destroyed. Here's the schedule and our destruction log." [Pull up backup retention policy and destruction records]
Assessor: "Have you ever reused a drive?"
What works: "No, we don't reuse drives with CUI. We wipe them or destroy them. This prevents any possibility of data recovery." [If you do reuse, show your wiping procedure and reports]
Common failures
Why Companies Fail MP.L2-3.8.3
- Deletion is not destruction. Someone formats a drive or uses Windows delete. Data is still recoverable with a forensic tool. Assessor finds this in interviews and immediately fails the practice.
- No documentation. Device is wiped in house with no record. Assessor asks "show me the wipe report" and you have nothing.
- Drives are sold or donated. A company donates old computers to a school without wiping them. Assessor finds proprietary data still on the drives.
- Backup media are not sanitized. Company keeps backup tapes for years, then throws them away. No one ever wiped the tapes.
- "We'll worry about it later." Device is removed from the network but sits in an IT closet for six months before anyone sanitizes it. It's still accessible.
- Certificates of destruction are missing. Company uses an e-waste vendor but doesn't request destruction certificates. Assessor asks for proof the drives were actually destroyed and finds nothing.
How to Pass MP.L2-3.8.3
- Start with encryption. Encrypted devices are easier to sanitize. Destroy the key and you're done.
- Create a retirement checklist. Make sanitization a mandatory step. Don't release the device until the form is signed.
- Use certified vendors. If you use an e-waste service, require they meet NIST SP 800-88 standards. Request a certificate for each device.
- Document everything. Take screenshots. Keep logs. Even if you destroy a drive, have a record saying you did it.
- Train staff. When someone retires a computer, they should know not to throw it in the trash. Make this a one-minute discussion during onboarding.
- Test your procedure. When you retire a test device, go through the entire process. Document each step. That's your proof it works.
Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.
If you use an MSP/MSSP
Media Sanitization with Managed Service Providers
If your MSP handles device retirement, require a service level agreement covering sanitization. The SLA must specify: NIST SP 800-88 compliance, destruction method, and certificate of destruction. When a device is retired, you do not release it until you have proof of sanitization. Ask your MSP for monthly reports showing devices sanitized, methods used, and vendor certificates. Inspect this documentation as part of your regular compliance reviews. You are ultimately responsible for proving sanitization occurred, so you maintain independent records as your primary evidence.
Disclaimer: This guide is for educational purposes. CMMC Level 2 assessments are conducted by Authorized C3PAO partners. Consult the official NIST SP 800-171 standard and your assessor for definitive requirements.