GRCWatch
Sign inStart free trial

CMMC MP.L2-3.8.3 — Media Disposal: Sanitize Before Reuse or Destruction

Media disposal is a critical yet often overlooked control in CMMC Level 2 compliance. Improper handling of decommissioned hard drives, SSDs, and other storage devices creates data breach risks that auditors actively test. MP.L2-3.8.3 requires your organization to establish and enforce procedures that completely erase or physically destroy information system media before it leaves your control.

What this means

This control mandates that any information system media—including hard drives, SSDs, USB devices, optical media, and magnetic tapes—must be sanitized or destroyed before disposal or reuse. Sanitization means rendering data unrecoverable through secure erasure methods (such as DOD 5220.22-M or NIST SP 800-88 standards), while destruction involves physically incinerating, shredding, or pulverizing the media. The goal is to prevent unauthorized access to sensitive or classified information that may have been stored on the device during normal operations.

How to comply

  1. 1.Identify and inventory all information system media within your organization that stores or has stored CUI (Controlled Unclassified Information)
  2. 2.Develop and document a media sanitization and disposal policy that specifies approved methods for each media type
  3. 3.Select sanitization standards (e.g., DOD 5220.22-M for magnetic media, NIST SP 800-88 for digital devices) or use certified destruction services
  4. 4.For reusable media: implement secure erasure tools that verify complete data removal before devices re-enter inventory
  5. 5.For non-reusable media: contract with certified e-waste destruction vendors who provide proof of destruction documentation
  6. 6.Train personnel on proper media handling, labeling, and chain-of-custody procedures
  7. 7.Maintain records of all sanitization and destruction activities with dates, methods used, and responsible parties
  8. 8.Conduct periodic audits to confirm media is not being discarded without proper sanitization

Evidence auditors look for

  • Documented media sanitization and disposal policy approved by management
  • List of approved sanitization tools or certified destruction vendors with contracts
  • Proof-of-destruction certificates from third-party e-waste vendors
  • Sanitization logs showing media serial numbers, erasure dates, and verification results
  • Employee training records on media handling and disposal procedures
  • Asset inventory tracking which media has been sanitized versus destroyed
  • Audit findings from periodic media disposal compliance checks

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch's asset tracking module automatically logs media lifecycles and sanitization verification, eliminating manual spreadsheets and generating audit-ready proof-of-destruction reports for MP.L2-3.8.3 compliance.

See how GRCWatch handles this control automatically

Start free trial

Related controls

MP.L2-3.8.1 — Media AccessMP.L2-3.8.2 — Media LabelingSI.L2-3.13.1 — Information System MonitoringAC.L2-3.1.1 — Access Control Policy