What Is CMMC 2.0?
The Cybersecurity Maturity Model Certification (CMMC) 2.0 is the Department of Defense’s framework for verifying that defense contractors and subcontractors protect Controlled Unclassified Information (CUI) stored on their systems and media. CMMC 2.0 was codified at 32 CFR Part 170, effective December 16, 2024. A separate Defense Federal Acquisition Regulation Supplement (DFARS) rule, effective November 10, 2025, integrates CMMC requirements into DoD contract solicitations.
Governing regulation: 32 CFR Part 170 (CMMC Program)
Current version: CMMC 2.0 — final rule effective December 16, 2024
DFARS integration: DFARS clause effective November 10, 2025 — required in applicable DoD contracts on a three-year rollout
Enforcement: DoD contracting officers; C3PAOs (CMMC Third Party Assessment Organizations) for Level 2
Official resource: dodcmmc.org
CMMC replaced the previous self-attestation model under DFARS 252.204-7012 with a tiered, verified certification requirement. CMMC 2.0 reduces the original 5-level model to 3 levels: Level 1 (Foundational), Level 2 (Advanced), and Level 3 (Expert). Most defense contractors handling CUI operate at Level 2.
Important note: CMMC is a contractor certification program, not a vendor certification program. Data Destruction Inc. does not hold CMMC certification. CMMC certifies the defense contractor’s overall cybersecurity posture, including its media sanitization practices. Data Destruction Inc. provides the destruction services that help contractors satisfy the media sanitization domain of their CMMC assessment.
What CMMC 2.0 Requires for Media Sanitization
CMMC 2.0 aligns its practices with NIST SP 800-171 Rev 3 and NIST SP 800-82 for OT systems. Media sanitization falls under the Media Protection (MP) domain. The specific CMMC practices mirror the NIST SP 800-171 MP controls.
Practice MP.L2-3.8.3: Sanitize or Destroy Information System Media Before Disposal
CMMC Practice: MP.L2-3.8.3
NIST 800-171 Source: 3.8.3 — Sanitize or destroy information system media before disposal or reuse
What it requires: Defense contractors must sanitize or destroy CUI media before it is disposed of or reused. The sanitization method must render CUI unrecoverable.
Applicable NIST standard: NIST SP 800-88 r2 is the referenced standard for CUI media sanitization in DoD guidance.
CMMC Level: Level 2 and Level 3 (Level 1 does not address CUI)
Practice MP.L2-3.8.4: Mark Media with CUI Markings and Distribution Limitations
CMMC Practice: MP.L2-3.8.4
What it requires: Mark media containing CUI with appropriate CUI markings and distribution limitations.
Relevance to disposal: Media must be identifiable as CUI-bearing before disposal so that appropriate sanitization is applied. Unmarked media may not receive required sanitization treatment.
Practice MP.L2-3.8.7: Control the Use of Removable Media on System Components
CMMC Practice: MP.L2-3.8.7
What it requires: Control the use of removable media on system components, with restrictions on use on external systems.
Relevance to disposal: Removable media (USB drives, external SSDs, backup tapes) used on systems processing CUI is subject to full MP.L2-3.8.3 sanitization requirements before disposal.
Practice MP.L2-3.8.9: Protect Backups of CUI
CMMC Practice: MP.L2-3.8.9
What it requires: Protect the confidentiality of backup CUI at storage locations.
Relevance to disposal: Backup tapes and drives storing CUI backups require the same MP.L2-3.8.3 sanitization before disposal as primary storage media.
How Data Destruction Inc. Satisfies CMMC Media Sanitization Requirements
Data Destruction Inc. provides defense contractor data destruction services that satisfy MP.L2-3.8.3 through documented, NIST SP 800-88 r2 Destroy-level physical destruction.
| CMMC Practice | DDI Service | NIST r2 Category | Documentation |
|---|---|---|---|
| MP.L2-3.8.3 (disposal) | Hard drive shredding | Destroy (§3.1.3) | Certificate of Destruction with r2 section |
| MP.L2-3.8.3 (disposal) | Hard drive crushing | Destroy (§3.1.3) | Certificate of Destruction with r2 section |
| MP.L2-3.8.3 (reuse) | Data wiping | Clear/Purge (§3.1.1/§3.1.2) | Certificate of Destruction + wipe report |
| MP.L2-3.8.3 + witness | Witnessed destruction | All categories | CoD + signed witness documentation |
The Certificate of Destruction issued by Data Destruction Inc. documents: the NIST SP 800-88 r2 category and section, the serialized asset inventory (one entry per device), the date and location, the destruction method, and the witness signature. CMMC assessors and DoD auditors accept this documentation as evidence of MP.L2-3.8.3 compliance.
Continuous chain of custody: From pickup through destruction, Data Destruction Inc. maintains documented chain of custody. For defense contractors, chain of custody documentation is part of the audit evidence package required for CMMC assessment.
CMMC Level Requirements and Media Sanitization
CMMC 2.0 has 3 levels. Media sanitization requirements apply starting at Level 2.
| Level | Name | Who it applies to | Assessment type | Media sanitization |
|---|---|---|---|---|
| Level 1 | Foundational | Contractors with Federal Contract Information (FCI) but no CUI | Annual self-assessment | Basic cybersecurity hygiene; no specific MP practices required |
| Level 2 | Advanced | Contractors handling CUI on DoD programs | Third-party assessment (C3PAO) every 3 years for critical programs; annual self-assessment for others | MP.L2-3.8.3 through 3.8.9 required — NIST 800-88 r2 sanitization |
| Level 3 | Expert | Contractors on DoD’s highest-priority programs | DIBCAC government-led assessment | All Level 2 practices plus additional requirements from NIST SP 800-172 |
Most defense contractors that handle engineering drawings, specifications, technical data, or any CUI operate at Level 2 and require third-party CMMC assessment by a C3PAO. Level 2 is where the media sanitization practices are binding.
Who Must Comply with CMMC 2.0?
CMMC 2.0 applies to any organization that seeks to perform on DoD contracts or subcontracts that involve CUI or FCI.
Directly covered: prime defense contractors receiving DoD contracts that include a CMMC clause; subcontractors of prime contractors, to the extent they handle CUI that flows down from the prime; and defense industrial base (DIB) suppliers at any tier of the supply chain that receive CUI from the DoD or a prime contractor.
CUI defined: Controlled Unclassified Information is information the government creates or possesses that requires safeguarding or dissemination controls but is not classified. CUI in the defense context includes technical data, engineering specifications, export-controlled information (ITAR/EAR), and sensitive program information.
The DFARS rollout (November 2025): Starting November 10, 2025, new DoD contracts and contract renewals include CMMC requirements on a rolling three-year implementation schedule. By November 2028, all applicable DoD contracts require full CMMC compliance.
Subcontractors: A prime contractor must flow CMMC requirements down to subcontractors that handle CUI. If a defense subcontractor provides IT services or data center decommissioning to a prime, the subcontractor’s media handling practices are part of the prime’s CMMC compliance posture.
Enforcement and Consequences
CMMC 2.0 enforcement operates through the DoD contracting process rather than direct civil or criminal penalties.
Direct consequences of non-compliance: A contractor without a required CMMC certification cannot be awarded a DoD contract that contains a CMMC clause. A contractor that misrepresents its CMMC compliance status on a contract bid may face prosecution under the False Claims Act (31 U.S.C. §3729), with treble damages and civil penalties per false claim. A contractor that fails a CMMC assessment may be suspended or debarred from federal contracting.
False Claims Act exposure: The DoD Cyber Fraud Initiative has already used the False Claims Act to pursue defense contractors that falsely certified their cybersecurity posture. Misrepresenting media sanitization compliance in a CMMC self-attestation is within scope of this initiative.
CUI Media Sanitization: Method by Media Type
CMMC 2.0 Practice MP.L2-3.8.3 requires sanitization or destruction of CUI media per NIST SP 800-88 r2. Use this matrix to match each media type that may contain Controlled Unclassified Information to the correct sanitization method. For permanent disposal of CUI, Destroy-level shredding is the standard approach for CMMC assessment evidence.
| CUI Media Type | CMMC Practice | NIST r2 Category for Disposal | DDI Method |
|---|---|---|---|
| Hard drives (HDD / SSD) | MP.L2-3.8.3 | Destroy (§3.1.3) — permanent disposal | Hard drive shredding or crushing |
| NVMe drives | MP.L2-3.8.3 | Destroy (§3.1.3) or Purge via CE (§3.1.2) | Shredding (CE requires §3.2 verification) |
| Backup tapes (CUI backups) | MP.L2-3.8.3 + MP.L2-3.8.9 | Destroy (§3.1.3) | Tape shredding / degauss + shred |
| Removable media (USB, SD) | MP.L2-3.8.3 + MP.L2-3.8.7 | Destroy (§3.1.3) | Physical shredding |
| Mobile devices | MP.L2-3.8.3 | Purge (§3.1.2) or Destroy (§3.1.3) | Crypto Erase or physical shred |
| Media for reuse (same clearance) | MP.L2-3.8.3 | Clear or Purge (§3.1.1/§3.1.2) | Data wiping with wipe report |
Standards and Frameworks That Interact with CMMC 2.0
CMMC 2.0 is built on NIST SP 800-171 Rev 3, which itself draws from NIST SP 800-53 and NIST SP 800-88 r2. Defense contractors at Level 2 must satisfy these overlapping standards. A single documented NIST SP 800-88 r2 destruction process satisfies CMMC, FISMA contractor requirements, and NISPOM simultaneously.
NIST SP 800-88 r2
The operative technical sanitization standard for CMMC MP.L2-3.8.3 compliance
FISMA
DoD contractors operating federal systems also face FISMA MP-6 obligations alongside CMMC
DoD NISPOM (32 CFR Part 117)
Current NISPOM requires NIST 800-88 r2; CMMC aligns with NISPOM media protection requirements
HIPAA Disposal Rule
Defense contractors in military healthcare support may face CMMC + HIPAA simultaneously
ISO 27001 / 27040
Multinational defense suppliers may need to align CMMC practices with ISO Annex A.7.14
Authoritative Source and Official Regulation
Authoritative Source · DoD / dodcmmc.org
CMMC 2.0 · 32 CFR Part 170, effective December 16, 2024
Enforcement · DoD Contracting Officers + C3PAOs
Current: CMMC 2.0 Final Rule — December 16, 2024. DFARS clause effective November 10, 2025.
Three-year DFARS rollout through November 2028. Monitor acq.osd.mil/cmmc and Federal Register for DFARS clause updates affecting your contracts.
Frequently Asked Questions
What NIST standard does CMMC 2.0 require for media sanitization?
CMMC 2.0 Level 2 Practice MP.L2-3.8.3 requires sanitization or destruction of CUI media per NIST SP 800-171 Rev 3 control 3.8.3. NIST SP 800-171 implements its media sanitization requirements by reference to NIST SP 800-88 r2, which is the operative technical standard. Defense contractors must use Clear, Purge, or Destroy methods per NIST SP 800-88 r2, with Destroy-level (physical shredding or crushing) as the standard for CUI media disposed of permanently.
Is Data Destruction Inc. CMMC certified?
No. CMMC is a contractor certification program that certifies a defense contractor’s overall cybersecurity posture and practices. It is not a vendor certification program. Data Destruction Inc. is a destruction services vendor, not a defense contractor seeking DoD contracts. The CMMC certification belongs to the contractor who hires Data Destruction Inc. to perform compliant media destruction. DDI provides the service and documentation that satisfies MP.L2-3.8.3; the contractor achieves the certification.
What documentation does a CMMC assessor need for media sanitization?
A C3PAO assessor evaluating MP.L2-3.8.3 looks for: a written media sanitization policy, a record of all media sanitized or destroyed (serialized), evidence that the sanitization method meets NIST SP 800-88 r2, and documentation of third-party vendor practices where a destruction vendor is used. The Certificate of Destruction from Data Destruction Inc. satisfies the third-party evidence requirement. Contractors should retain these certificates in their system security plan (SSP) evidence package.
Does CMMC media sanitization apply to subcontractors?
Yes. The CMMC clause flows down to subcontractors that handle CUI. If a subcontractor receives, stores, or processes CUI on any system or media, that media is subject to MP.L2-3.8.3 requirements before disposal. Subcontractors must either achieve their own CMMC certification or work under a prime contractor’s approved plan that accounts for subcontractor CUI handling.
What is the difference between CMMC 1.0 and CMMC 2.0 for media sanitization?
CMMC 1.0 (2020) used 5 maturity levels with 171 practices. CMMC 2.0 (final rule 2024) reduced this to 3 levels with practices aligned directly to NIST SP 800-171 Rev 3 and NIST SP 800-172. The media sanitization practices (MP domain) in CMMC 2.0 are drawn directly from NIST SP 800-171 controls 3.8.1 through 3.8.9, mapped to CMMC practice identifiers MP.L2-3.8.1 through MP.L2-3.8.9. For practical purposes, the destruction requirement (sanitize or destroy CUI media per NIST 800-88 r2) is substantively the same in both versions.