Federal Framework
CMMC Media Sanitization: Control MP.L2-3.8.3 for CUI and FCI Media
The Cybersecurity Maturity Model Certification (CMMC) 2.0 verifies that Defense Industrial Base contractors protect Federal Contract Information and Controlled Unclassified Information. Its media sanitization control requires that media be sanitized or destroyed before disposal or reuse. All Green Recycling's data destruction processes are operationally aligned to the NIST SP 800-88 methods that satisfy the CMMC media sanitization control.
What Is CMMC Media Sanitization?
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense program that verifies a contractor’s implementation of cybersecurity requirements for protecting Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). It is codified at 32 CFR Part 170, effective 16 December 2024, and it builds on the security requirements in NIST SP 800-171.
Publisher: U.S. Department of Defense
Key citations: 32 CFR Part 170 (CMMC Program); NIST SP 800-171 control 3.8.3, expressed in CMMC as MP.L2-3.8.3
Legal force: Contractual. A required CMMC level becomes a condition of award in covered DoD contracts.
CMMC 2.0 has three levels. Level 1 covers basic safeguarding of FCI. Level 2 aligns with the 110 controls of NIST SP 800-171 for CUI. Level 3 adds selected NIST SP 800-172 controls for the highest-priority programs. The media sanitization control sits in the Media Protection family at Level 2.
What Does the CMMC Media Sanitization Control Require?
The CMMC media sanitization control MP.L2-3.8.3 requires a contractor to sanitize or destroy system media containing Controlled Unclassified Information before disposal or release for reuse. The control inherits the techniques and verification expectations of NIST SP 800-88.
Sanitize or destroy before disposal or reuse (MP.L2-3.8.3)
System media, both digital and non-digital, that contains CUI must be sanitized or destroyed before it is disposed of or released for reuse. The contractor selects Clear, Purge, or Destroy based on the media type and the sensitivity of the information.
Technique selection via NIST SP 800-88
CMMC assessors evaluate sanitization against the methods in NIST SP 800-88 Rev. 2. High-sensitivity CUI on end-of-life media calls for Destroy-level destruction such as shredding. Media slated for reuse within the boundary may be sanitized at Clear or Purge.
Documentation and assessment evidence
A Level 2 assessment by a Certified Third-Party Assessment Organization (C3PAO) reviews objective evidence that the control is implemented. A destruction certificate that names the method, the NIST category, and the serialized devices provides that evidence.
Related media controls
The Media Protection family also covers media marking, access, transport, and cryptographic protection. Sanitization is the end-of-life control that closes the family, ensuring CUI does not persist on retired media.
Digital and non-digital media both in scope
The control speaks to system media in both digital and non-digital forms, so it reaches more than hard drives. Printed CUI, removable media such as USB drives and optical discs, backup tapes, and the storage inside multifunction devices all fall within MP.L2-3.8.3. A contractor that shreds drives but discards printed CUI in ordinary recycling has an incomplete control. A complete program sanitizes or destroys every medium on which CUI resided, and the method is matched to the medium, with paper cross-cut shredded and electronic media purged or destroyed.
Subcontractor flow-down and shared responsibility
CUI obligations do not stop at the prime contractor. When CUI flows to a subcontractor, the media sanitization requirement flows with it, and each entity in the chain must be able to evidence its own implementation of MP.L2-3.8.3. A prime cannot satisfy the control on behalf of a sub that holds CUI on its own systems. This is why contractors at every tier keep their own destruction records, and why a destruction vendor that issues a clear, serialized certificate simplifies assessment for each entity that engages it.
How All Green Recycling Aligns to CMMC Media Sanitization
All Green Recycling’s data destruction processes are operationally aligned to the NIST SP 800-88 Rev. 2 methods that control MP.L2-3.8.3 incorporates. A Defense Industrial Base contractor can use All Green Recycling to perform the sanitization action and to capture the documentation a C3PAO reviews.
| CMMC control element | All Green Recycling control |
|---|---|
| Sanitize or destroy CUI media | Hard Drive Shredding at NIST Destroy level |
| Sanitize media for reuse | SSD Secure Erase at Clear or Purge |
| Verify and document the action | Certificate of Destruction with serialized inventory |
| Defensible chain of custody | Witnessed Destruction with signed log |
All Green Recycling does not hold CMMC certification, and it does not claim to. CMMC certification is held by Defense Industrial Base contractors and is assessed by accredited C3PAOs. All Green Recycling references the CMMC framework and provides destruction conforming to the NIST SP 800-88 methods that the media sanitization control requires, so the contractor can evidence MP.L2-3.8.3 within its own assessment.
This division is exactly how the media sanitization control is meant to operate. The contractor owns the control and the assessment; the destruction vendor performs the sanitization action to a recognized standard and supplies serialized, method-level documentation. When the C3PAO examines MP.L2-3.8.3, the contractor presents that documentation as objective evidence that CUI media was sanitized or destroyed before disposal or reuse, without the vendor itself needing any CMMC status.
Who Must Comply With CMMC?
CMMC applies to contractors and subcontractors in the Defense Industrial Base that process, store, or transmit Federal Contract Information or Controlled Unclassified Information under DoD contracts. The required level is specified in the solicitation and contract.
A defense contractor manufacturing components under a CUI-bearing contract, an aerospace supplier, and a subcontractor several tiers down the supply chain all inherit the CMMC requirement when CUI flows to them. For media disposal, every entity in that chain must sanitize or destroy CUI media under MP.L2-3.8.3 before the media leave its control, and must retain evidence for assessment.
The required level is set by the contract, which shapes how rigorously the media sanitization control is examined. Level 1 contractors handling only Federal Contract Information perform an annual self-assessment, while Level 2 contractors handling CUI generally undergo a third-party assessment by a C3PAO every three years, with annual affirmations. In both cases the practical media-disposal obligation is the same: sanitize or destroy media before disposal or reuse and keep the evidence. What changes is who scrutinizes the evidence, which is why contractors anticipating a C3PAO assessment value a destruction record that is unambiguous on method, category, and serial number.
Enforcement and Consequences
CMMC is enforced through the contracting process and through federal fraud statutes. The consequences attach to eligibility for and performance of DoD contracts.
Loss of eligibility: A contractor that cannot demonstrate the required CMMC level cannot be awarded a covered contract. For Level 2, this requires a passing C3PAO assessment, which evaluates the media sanitization control among the 110 controls.
False Claims Act exposure: Misrepresenting compliance, including media sanitization practices, can trigger liability under the False Claims Act, with treble damages and per-claim penalties. The Department of Justice has pursued cybersecurity misrepresentations through its Civil Cyber-Fraud Initiative.
Contract termination: A contractor found non-compliant during performance can face stop-work orders, termination, and exclusion from future awards.
Frequently Asked Questions
Is CMMC compliance mandatory or voluntary?
CMMC compliance is mandatory for Defense Industrial Base contractors when a DoD solicitation specifies a required level, under 32 CFR Part 170 effective 16 December 2024. A contractor that handles Controlled Unclassified Information generally needs CMMC Level 2, which aligns with the 110 controls of NIST SP 800-171 and is verified by a Certified Third-Party Assessment Organization. Without the required level, the contractor cannot be awarded the covered contract.
What does CMMC require for media sanitization specifically?
CMMC control MP.L2-3.8.3 requires contractors to sanitize or destroy system media containing CUI before disposal or release for reuse. Assessors evaluate the method against NIST SP 800-88, so high-sensitivity CUI on end-of-life media calls for Destroy-level shredding, while reusable media may be sanitized at Clear or Purge. The contractor must retain objective evidence, such as a destruction certificate, to demonstrate the control during a Level 2 assessment.
Is All Green Recycling CMMC certified?
No. All Green Recycling does not hold CMMC certification, and it does not claim to. CMMC certification is held by Defense Industrial Base contractors and assessed by accredited C3PAOs. All Green Recycling references the CMMC framework and provides data destruction operationally aligned to the NIST SP 800-88 methods that the media sanitization control requires. A contractor uses that destruction service and the accompanying Certificate of Destruction as evidence for its own MP.L2-3.8.3 control.
How does All Green Recycling support a contractor’s CMMC assessment?
All Green Recycling performs the sanitization action that MP.L2-3.8.3 requires and documents it for the contractor’s assessment file. The company shreds CUI media at Destroy level, applies Clear or Purge to reusable media, and issues a Certificate of Destruction with the method, NIST category, and serialized inventory. That objective evidence is what a Certified Third-Party Assessment Organization reviews when evaluating the contractor’s media sanitization control.
What CMMC level requires the media sanitization control?
The media sanitization control is expressed as MP.L2-3.8.3, which places it at Level 2, the level that applies to contractors handling Controlled Unclassified Information and aligns with the 110 controls of NIST SP 800-171. Level 1, which covers only Federal Contract Information, has a smaller control set and is self-assessed annually. A contractor that handles CUI therefore must implement and evidence the media sanitization control as part of a Level 2 assessment by a C3PAO. Because the control incorporates NIST SP 800-88 methods, destruction documented to those methods is the evidence the assessor looks for.
What is the difference between CMMC and NIST SP 800-171?
NIST SP 800-171 is the control catalog that defines the 110 security requirements for protecting CUI, including the media sanitization requirement 3.8.3. CMMC is the Department of Defense program that verifies a contractor has implemented those controls, expressing 3.8.3 as MP.L2-3.8.3 and adding assessment and certification mechanics. NIST SP 800-171 states what to do; CMMC verifies that it was done, through self-assessment at Level 1 and third-party assessment at Level 2.
What documentation proves CMMC-aligned media sanitization?
A Certified Third-Party Assessment Organization expects objective evidence that CUI media was sanitized or destroyed. The Certificate of Destruction from All Green Recycling records the serialized devices, the destruction method, the NIST SP 800-88 category, and the date, and the Witnessed Destruction log adds a signed chain-of-custody record. Together they provide the assessment evidence a contractor retains to demonstrate the MP.L2-3.8.3 control.
Can sanitization be self-performed, or is a vendor required?
CMMC does not require a contractor to outsource sanitization; a contractor may sanitize or destroy CUI media in-house if it can apply NIST SP 800-88 methods and produce objective evidence. Many contractors use a vendor because verified destruction at the Destroy level requires shredding equipment, and because an independent, serialized Certificate of Destruction is cleaner assessment evidence than an internal note. The contractor remains responsible for the control either way. When All Green Recycling performs the work, the contractor retains the destruction documentation in its assessment file as proof that MP.L2-3.8.3 was implemented for the media in question.
Need media sanitization and destruction services that satisfy CMMC Media Sanitization?
Bonded · Insured · Certificate of Destruction · Methods follow CMMC Media Sanitization