Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - MP.L2-3.8.3 – Sanitize or destroy information system media containing controlled unclassified information before disposal or release for reuse.
Understanding the Requirement
This control requires that any media—digital (hard drives, USBs, backup tapes) or non-digital (paper, microfilm)—that contains Controlled Unclassified Information (CUI) be rendered unrecoverable before disposal or reuse. In practice you must either sanitize media so data cannot be reconstructed, or physically destroy it, and maintain evidence that the action occurred. This guidance maps to NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 and focuses on preventing adversaries from recovering CUI from discarded or repurposed media.
Technical Implementation
-
Maintain a media inventory and labeling process.
Track all devices that can store CUI (PCs, laptops, SSDs, thumb drives, backup tapes, removable media). Label media when it stores CUI and record its lifecycle (owner, location, retention period, and disposal/reuse authorization) in a simple inventory spreadsheet or lightweight asset management system.
-
Define sanitization vs. destruction policies.
Specify when media must be destroyed (e.g., damaged drives, media that cannot be sanitized reliably) versus sanitized for reuse. For paper, require cross-cut shredding to 1 mm x 5 mm particles or smaller. For digital media, list acceptable sanitization methods (overwrite per DoD 5220.22-M for magnetic drives, verified crypto-erase for drives using full-disk encryption, and vendor-verified secure erase tools for SSDs).
-
Use approved tools and verify wipes.
Standardize on tools that support the chosen method—example: DBAN or commercial disk wipers for magnetic drives, manufacturer tools for SSD secure erase, and enterprise utilities that produce wipe logs. Require verification steps such as checksum tests, wipe logs, or using a forensic tool to confirm no recoverable data remains before marking media for reuse.
-
Contract or perform physical destruction and retain proof.
For destroyed media, use a vetted destruction vendor or in-house methods (shredding, degaussing for magnetic tape, crushing). Obtain and retain receipts or certificates of destruction with serial numbers or asset tags and store them with disposal records for audit and compliance purposes.
-
Implement chain-of-custody and employee responsibilities.
Assign responsibilities (who sanitizes, who approves reuse, who coordinates destruction). Require signed handoffs and brief chain-of-custody forms when media leaves secure areas for destruction or transport. Train staff on procedures and include media sanitization in onboarding and termination checklists.
Example in a Small or Medium Business
Midtown Design Co., a 35-person engineering firm, maintains an inventory of all devices capable of storing CUI and tags each item with an asset ID. When an employee retires a laptop, the IT lead collects it and checks the inventory to confirm it contained CUI. For magnetic hard drives the IT lead runs an approved disk-wiping tool configured to DoD 5220.22-M overwrite cycles, saves the wipe log, and then validates the wipe with a lightweight forensic scan. SSDs are handled using the drive manufacturer’s secure-erase utility and a validation report is saved. Paper records with CUI are shredded in a cross-cut shredder that produces ~1 mm x 5 mm particles; shredding bags are photographed and logged. Hard drives that fail validation or are physically damaged are sent to a certified destruction vendor; the company stores the vendor's certificate of destruction alongside the asset record. These steps are documented in a media sanitization policy, employees with media responsibilities are trained quarterly, and receipts/logs are retained for customer audits.
Summary
Combining a clear policy, simple inventory and labeling, approved sanitization and destruction methods, verification and recordkeeping, and assigned responsibilities lets SMBs reliably meet this control. Policy defines when to sanitize versus destroy; technical measures (overwrites, vendor secure erase, shredding, crushing) make data unrecoverable; and written evidence (wipe logs, certificates of destruction, inventory updates) provides audit-ready proof that CUI was protected before disposal or reuse.
