3.8.3 — Destroy It Properly

The One-Liner

Dragging to the recycle bin is not sanitization. Reformatting is not sanitization. A “quick format” leaves every byte recoverable.

What It Says

Sanitize or destroy system media containing CUI before disposal or release for reuse.

What It Actually Means

Before any media that has contained CUI is disposed of or given to someone else, the CUI must be unrecoverable. Two scenarios, each assessed:

1. Disposal. When media reaches end of life — decommissioned servers, old laptops, failed drives, obsolete tapes, paper documents being discarded — the CUI must be destroyed beyond recovery. For digital media, follow NIST SP 800-88 Rev. 1: cryptographic erase for SSDs (preferred), overwrite or degauss for HDDs, physical destruction (shredding, incineration, disintegration) for any media. For paper: cross-cut shredding at P-4 rating or higher. For optical media (CDs/DVDs): shredding.

2. Reuse. When media is being repurposed — a laptop reassigned to a different employee, a server reprovisioned for a non-CUI role — the CUI must be fully sanitized before redeployment. This means more than deleting files. For drives: full disk wipe or cryptographic erase. For devices: factory reset plus drive sanitization (a factory reset alone may leave data recoverable).

For every sanitization or destruction event, document: what media (asset tag, serial number), what method was used, when, and who performed or verified it. For destruction by a third-party vendor, retain destruction certificates.

The assessor will ask for your sanitization procedure and review recent records. They may also ask about your handling of failed drives that can’t be wiped — the answer should be physical destruction, not shipping to a vendor.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is CUI media sanitized or destroyed before disposal?	Destruction records: media ID, method (per NIST 800-88), date, person; destruction certificates from vendors
2	Is CUI media sanitized before reuse?	Sanitization records before redeployment; method documented; verification that sanitization was successful

---

What to Have Ready on Assessment Day

Documents they’ll review: Media protection policy; media sanitization procedures referencing NIST 800-88; sanitization and destruction records; vendor destruction certificates; system security plan

People they’ll talk to: Personnel with media sanitization responsibilities; information security personnel; anyone who disposes of or repurposes CUI media

Live demos they’ll ask for: “Show me your sanitization procedure. Does it reference NIST 800-88?” “Show me destruction records from the last disposal.” “How do you handle SSDs vs. HDDs?” “What about failed drives that can’t be wiped?”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Show me your media sanitization procedure. What standard does it follow?”
• “Show me records from the last time you disposed of CUI media.”
• “How do you sanitize SSDs? HDDs? Are the methods different?”
• “What happens with a failed drive that can’t be sanitized — do you ship it or destroy it?”
• “Show me a destruction certificate from your vendor.”
• “How do you sanitize a laptop before reassigning it to a new employee?”
• “How do you dispose of paper CUI? Show me the shredder.”

Real-World Example

A defense contractor uses a three-tier approach. SSDs: BitLocker cryptographic erase (which destroys the encryption key, rendering data unrecoverable) followed by a manufacturer secure erase command — both steps logged. HDDs: DBAN three-pass overwrite for drives being reused; physical shredding via a NAID AAA-certified destruction vendor for drives being disposed of. Paper: a P-4 rated cross-cut shredder in the CUI work area, emptied by a bonded shredding service monthly. Failed drives that can’t be wiped are never shipped — they’re accumulated in a locked bin in the server room and picked up quarterly by the destruction vendor, who provides individual destruction certificates by serial number. The assessor reviews: three destruction certificates from the past year showing drive serial numbers, the DBAN log from a recent laptop reprovisioning, and inspects the cross-cut shredder (confirms P-4 rating on the label).

---

Where Companies Trip Up

Delete instead of sanitize. Files deleted or drive reformatted — data is fully recoverable with free tools. Use NIST 800-88 methods: cryptographic erase, overwrite, degauss, or physical destruction. “Delete” and “format” are not sanitization.

No documentation. Media was properly destroyed but nobody recorded it. The assessor asks for records and you have nothing. Document every sanitization event: media ID, method, date, person. Keep destruction certificates from vendors.

Paper CUI in regular trash. CUI documents in the general waste bin. All paper CUI must be cross-cut shredded. Provide a shredder in the CUI work area or use a bonded shredding service.

Failed drives shipped to vendor. A drive with CUI fails and can’t be wiped, so it’s shipped back for warranty replacement. This is effectively shipping CUI to an unauthorized party. Destroy failed drives that can’t be sanitized — forfeit the warranty if necessary.

SSD sanitization misunderstood. Standard overwrite tools designed for HDDs don’t reliably sanitize SSDs due to wear leveling. Use the manufacturer’s secure erase command or cryptographic erase. NIST 800-88 has specific guidance for flash-based media.

---

How to Talk About This

To a CEO or Board

When we dispose of or repurpose any media that contained CUI, we sanitize it to NIST standards and document every step. Paper is cross-cut shredded. Digital media is cryptographically erased or physically destroyed. Failed drives are destroyed on-site — never shipped. We retain destruction certificates for every piece of media.

To an Engineering Team

NIST 800-88 Rev. 1 methods. SSDs: cryptographic erase (BitLocker key destruction + manufacturer secure erase). HDDs: DBAN 3-pass overwrite for reuse; physical shredding for disposal. Paper: P-4 cross-cut shredder in CUI work area. Failed drives: locked collection bin → quarterly pickup by NAID AAA vendor → individual destruction certificates by serial number. Records: media ID, method, date, person. Laptop reprovisioning: full disk sanitization before redeployment.

---

Connected Requirements

Requirement	Why it matters here
3.7.3 — Wipe Before Repair	Sanitization before off-site maintenance — same methods apply
3.8.1 — Lock Up CUI	Media protection lifecycle: store securely, then sanitize at end of life
3.8.9 — Protect Your Backups	Backup media needs the same sanitization treatment at disposal
3.13.11 — Encrypt CUI at Rest	Encryption enables cryptographic erase as a sanitization method

---

Implementation

🔒

Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.

Start a conversation →

---

CMMC Practice ID: MP.L2-3.8.3 | SPRS Weight: 5 points | POA&M Eligible: No