CMMC practice MP.L2-3.8.3, grounded in NIST SP 800-171 Rev 2 requirement 3.8.3, mandates that organizations sanitize or destroy all system media containing CUI before that media is disposed of or released for reuse. Sanitization must follow approved methods — such as those defined in NIST SP 800-88 Rev 1 (Guidelines for Media Sanitization) — to render CUI unrecoverable using state-of-the-art laboratory techniques. Acceptable sanitization methods include Clear (overwriting), Purge (cryptographic erase, degaussing), and Destroy (shredding, incineration, disintegration) depending on media type and classification sensitivity. This practice applies to all forms of digital media including hard drives, SSDs, USB flash drives, mobile devices, optical discs, and magnetic tapes, as well as non-digital media such as paper documents containing CUI. Organizations must document their sanitization procedures and maintain records of media disposition to demonstrate compliance during CMMC assessments.
Where it stops · what it isn't
- —This practice does not govern the access controls or labeling of media while it is in active use — those are addressed by MP.L2-3.8.1 and MP.L2-3.8.2
- —This practice does not address the physical transport or transit protections for media being moved between locations — that is covered by MP.L2-3.8.5 and SC domain controls
- —This practice does not establish requirements for how long media must be retained before destruction — retention schedules are governed by organizational policy and data governance programs
- —This practice does not cover logical access controls preventing unauthorized users from reading CUI on media still in active use
- —This practice does not address cloud-based data deletion or deprovisioning of virtual storage — those require separate vendor-specific controls and contractual obligations
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/media-protection