MP.L2-3.8.3 — Sanitize or destroy system media containing CUI before disposal or release for reuse.
What this control requires
Sanitize or destroy system media containing CUI before disposal or release for reuse.
Source: CMMC L2 v2.13 MP.L2-3.8.3 / NIST SP 800-171 R2 3.8.3 (official control text).
Why this matters
CUI stored on hard drives, USB sticks, printed reports, or mobile devices doesn't vanish when you toss them in the trash or donate old equipment. Adversaries routinely recover "deleted" files from improperly wiped media, leaked documents from copier hard drives, and printed spreadsheets from recycling bins. This control mandates that every piece of media—digital or paper—containing CUI be sanitized using a method that makes recovery infeasible before disposal or reuse. It protects against data breaches that occur after devices leave your physical custody and ensures compliance with NARA retention schedules.
What evidence assessors expect
Assessors typically look for: PDF, screenshot, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on MP.L2-3.8.3.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →