Mapped to NIST 800-171 Requirement: 3.8.6
CMMC Assessment Objective: MP.L2-3.8.6
What This Control Means
When system media (e.g., hard drives, USBs, SSDs, backup tapes, CDs) is no longer needed, or will be reused for a different purpose, you must:
• Sanitize the media using secure wiping or cryptographic erasure tools, or
• Destroy the media physically so no data can be recovered
This applies to all forms of media that previously held CUI, including:
• Removable drives
• Internal drives in laptops or servers
• Paper records (if applicable under media policy)
• Virtual disks or cloud storage environments
Why It Matters
Improper disposal of media is a top cause of accidental data exposure. Risks include:
• Data recovery from improperly wiped devices
• CUI leaking through donated, recycled, or resold systems
• Non-compliance with DFARS or contractual requirements for CUI destruction
This control closes the loop on the CUI lifecycle.
How to Implement It
1. Define Sanitization and Destruction Methods
• NIST SP 800-88 Rev. 1 is the recommended guidance
• Include methods such as:
◦ Secure erase software (e.g., DBAN, BitRaser)
◦ Cryptographic erase
◦ Degaussing
◦ Shredding or pulverization
2. Maintain a Media Disposition Procedure
• Include:
◦ When media must be sanitized
◦ Who is authorized to perform the task
◦ How it is documented and verified
3. Log Each Event
• Record:
◦ Media type and serial number (if applicable)
◦ Method used
◦ Date/time
◦ Person who completed and verified the sanitization/destruction
4. Train Staff
• Ensure IT, security, and facilities teams are trained on how and when to perform media sanitization or destruction
5. Apply to Cloud or Virtual Media
• For cloud systems, ensure data is cryptographically erased or deallocated per CSP guidance
Evidence the Assessor Will Look For
• Media sanitization or destruction policies and procedures
• Logs or records of disposed or reused media
• Evidence of secure wipe tools or physical destruction methods
• Personnel training documentation
• Signed verification forms for completed destruction events
Common Gaps
• Media reused without sanitization
• Devices recycled or donated with recoverable CUI
• Staff unaware of proper destruction methods
• No logs or procedures for media disposal
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Providing media destruction logs and workflow templates
• Enforcing sanitization policies before media is reused or released
• Integrating with encryption and secure wipe tools
• Tracking and reporting on all CUI-bearing media lifecycle events
• Helping ensure your process aligns with NIST 800-88 and CMMC guidance
With Cuick Trac, CUI is removed completely, securely, and verifiably—before media leaves your control.
Final CTA
Don’t let sensitive data walk out the door.
Schedule a Cuick Trac demo to protect CUI with secure, trackable media sanitization and destruction processes.