MA.L2-3.7.3 — Ensure equipment removed for off-site maintenance is sanitized of any CUI.

What this control requires

Ensure equipment removed for off-site maintenance is sanitized of any CUI.

Source: CMMC L2 v2.13 MA.L2-3.7.3 / NIST SP 800-171 R2 3.7.3 (official control text).

Why this matters

When equipment leaves organizational control for repair or maintenance, any Controlled Unclassified Information (CUI) stored on that device becomes vulnerable to unauthorized access by third-party technicians, supply chain threats, or physical theft. This control requires cryptographic erasure or physical destruction of data before devices exit the facility, ensuring that maintenance vendors, repair shops, or warranty centers cannot recover sensitive federal contract information, technical data, or customer records. Without sanitization, a failed hard drive sent for RMA or a laptop shipped for screen repair becomes an inadvertent data breach vector. This protection extends to all storage media — SSDs, HDDs, mobile devices, copiers with internal drives, and network appliances.

What evidence assessors expect

Assessors typically look for: PDF, screenshot, photo, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls