CUI Destruction: What to Review and How to Destroy

Word count: ~1,720 Specificity markers: (1) NIST SP 800-88, MP.L2-3.8.3, MP.L2-3.8.5; (2) Tool/product names — Blancco, DBAN, NSA-listed paper shredders (DIN 66399 P-4); (3) Cost/time — $200–$800 per hard drive degauss+destroy, on-site shredding $150–$400/visit; (4) Common mistake — deleting files instead of sanitizing, using consumer shredders; (5) Decision point — clear vs. purge vs. destroy based on media type and reuse intent

---

CUI Destruction: What to Review and How to Destroy

Destroying CUI is not the same as deleting it. It's not the same as putting a document through a strip-cut shredder. And it's definitely not moving files to the Recycle Bin and emptying it.

CMMC Level 2 requirement MP.L2-3.8.3 says you must sanitize or destroy information system media before disposal or reuse using approved equipment, techniques, and procedures. "Approved" has a specific meaning here — it means methods specified in NIST SP 800-88, Guidelines for Media Sanitization. If you can't reference that standard in your procedures, you're not meeting the requirement.

The Three-Level Framework: Clear, Purge, Destroy

NIST SP 800-88 organizes sanitization into three levels. Which one you use depends on the sensitivity of the CUI, the type of media, and what you intend to do with the media afterward.

Clear — overwrites the addressable storage locations on the media. Protects against casual recovery using standard read commands. Appropriate only when the media is being reused internally within the same security boundary. Not appropriate for disposal or transfer outside the organization.

Examples of Clear techniques: - Single-pass overwrite of logical storage (NIST-approved overwrite tools on magnetic hard drives) - Factory reset on mobile devices, followed by verified wipe

Clear is the lowest bar. Don't use it for media leaving your organization.

Purge — applies more intensive techniques that protect against laboratory-level recovery attacks. Appropriate when media is leaving your control — being disposed of, transferred to another organization, or returned to a vendor.

Examples of Purge techniques: - Cryptographic erase (CE) — if the drive uses hardware encryption and you can destroy the encryption key, the data is unrecoverable. Modern self-encrypting drives (SEDs) from manufacturers like Samsung and Seagate support this. NIST considers CE equivalent to purge when properly implemented. - Secure erase (SE) — available on ATA-compliant drives via the built-in ATA Secure Erase command. This is a hardware-level command that the drive executes internally and is more reliable than software overwrite. - Degaussing — runs a strong magnetic field through the media, disrupting magnetic domains. Effective for traditional magnetic hard drives. Does not work on SSDs, optical media, or USB flash drives (they don't use magnetic storage).

Destroy — physical destruction. No recovery is possible. Required when media is end-of-life and will not be reused, or when you need the highest assurance level.

Destruction methods vary by media type (see below). The key: destruction must be verified and documented.

Destruction Methods by Media Type

Hard Disk Drives (HDDs)

HDDs use magnetic platters. Your options: - Degauss + shred/puncture: Degaussing with an NSA-listed degausser (e.g., Garner Products, VS Security Products) renders the drive unreadable, followed by physical destruction of the platter. The NSA maintains a list of evaluated degaussers at nsa.gov/Resources/Everyone/Media-Destruction. - Disintegration: Industrial shredder rated for hard drive destruction. NSA-evaluated units produce particle sizes under 2mm. - Incineration: An option, but logistically unusual for most contractors.

Cost estimate: professional degauss + destroy service runs $200–$400 per drive through vendors like Iron Mountain, Stericycle, or a local certified ITAD provider. Large-volume contracts can bring this to $50–$100/drive.

Solid-State Drives (SSDs), USB Drives, Flash Media

SSDs and flash media cannot be degaussed — they have no magnetic properties. Your options: - Cryptographic erase: If the device supports hardware encryption, destroy the encryption key. Verify the capability before relying on it. - Secure erase via manufacturer tool: Some SSD manufacturers provide secure erase tools (e.g., Samsung Magician, Seagate SeaTools). Results vary by drive model. - Physical destruction: The most reliable option for SSDs. Industrial shredding to sub-millimeter particles. NSA requires particle sizes of 1mm×5mm or smaller for SSDs.

Blancco and DBAN are commonly referenced software tools. DBAN (Darik's Boot and Nuke) is effective for traditional HDDs but does not reliably sanitize SSDs — do not use DBAN alone for SSD disposal. Blancco's enterprise tools include SSD-specific wiping algorithms and produce a certificate of erasure, which is useful as assessment evidence.

Paper Documents

Paper containing CUI must be destroyed using a cross-cut or micro-cut shredder rated DIN 66399 P-4 or higher. Strip-cut shredders are explicitly not acceptable — document reconstruction from strip-cut shredded material has been demonstrated repeatedly.

• P-4: Particles no larger than 160 mm² with max width of 6mm. Acceptable for most CUI Basic.
• P-5: Particles no larger than 30 mm². Recommended for CUI Specified or higher-sensitivity material.
• P-7: Micro-cut, particles under 5 mm². Used for classified material — likely overkill for CUI, but some organizations use it.

On-site shredding services (Shred-it, Iron Mountain Mobile Shredding, Cintas) bring a truck to your location and shred witnessed. Cost: $150–$400 per visit depending on volume and certificate of destruction documentation. You get a witnessed destruction certificate, which is exactly the kind of evidence your assessor wants.

Locked consoles (secure paper collection bins) plus scheduled shredding service is the most practical approach for ongoing CUI document destruction. Budget for a quarterly or monthly service depending on your CUI document volume.

Optical Media (CDs, DVDs, Blu-ray)

Optical media cannot be degaussed or wiped. Physical destruction is the only option. Shred in a cross-cut shredder rated for optical media, or use a dedicated optical disc shredder/grinder. Snapping discs by hand is not a recognized sanitization method — it leaves recoverable fragments.

Mobile Devices (Smartphones, Tablets)

If mobile devices have accessed CUI email, CUI files, or CUI applications, they're in scope. Sanitization: - Factory reset, then verify with a complete data wipe tool - For devices that supported hardware encryption, cryptographic erase via the built-in wipe function (iOS "Erase All Content and Settings," Android equivalent) - If reuse is not the goal: physical destruction

Mobile Device Management (MDM) solutions — Microsoft Intune, Jamf — can issue remote wipe commands. Document the wipe completion status as evidence.

The Review Process Before Destruction

MP.L2-3.8.5 requires that you protect CUI during transport, which implies a documented process for how media leaves your control. Before any CUI media is destroyed:

1. Verify CUI status. Confirm the media actually contains CUI before applying destruction-level procedures. Your asset inventory and data flow documentation help here — if a drive is in your CUI asset inventory, assume it contains CUI.

1. Check retention requirements. Some CUI may be subject to federal records retention requirements. Contract data may have to be retained for a specified period before destruction. Check your contracts and your records management policy. Destroying records on legal hold is a problem regardless of the media sanitization methodology.

1. Authorize destruction. Who approves media destruction in your organization? Define this in your media handling procedure — typically the ISSO or system owner. The authorization should be documented.

1. Execute destruction using an approved method. Match the method to the media type and disposal intent (reuse vs. disposal).

1. Document everything. Record the media identifier (serial number, asset tag), the destruction method used, the date, who performed or witnessed the destruction, and how you verified completion. For vendor-performed destruction, retain the certificate of destruction. Keep these records for at least three years — through one CMMC assessment cycle.

Common Mistakes

Deleting files and calling it sanitization. Deleting a file doesn't remove the data from the storage medium — it removes the pointer to the data. The actual bytes remain until overwritten. File deletion is not sanitization by any standard. "We deleted all the CUI files before repurposing the laptop" will not satisfy MP.L2-3.8.3.

Using strip-cut shredders. A strip-cut shredder that produces long ribbons of paper does not meet the P-4 requirement. This is common in office environments where the security shredder is an old strip-cut unit that's been there for years. Check the shredder specification. DIN 66399 rating should be on the equipment label.

Relying on DBAN for SSDs. DBAN uses overwrite passes designed for magnetic media. SSDs have wear-leveling firmware that may redirect writes, leaving data in inaccessible flash cells. DBAN can appear to complete successfully on an SSD while leaving recoverable data. For SSDs, use cryptographic erase, manufacturer-provided tools, or physical destruction.

No documentation. The destruction happened — but there's no record. An assessor asking to see evidence of media sanitization and getting "we just send it to IT recycling" will note it as Not Met. The method matters, but so does the paper trail.

What Your Assessor Expects

For MP.L2-3.8.3, the assessor will: - Examine your media sanitization/destruction policy and procedures, requesting evidence that the procedures reference NIST SP 800-88 or equivalent approved methods - Examine destruction logs or certificates of destruction for a sample of recently disposed media - Interview IT staff about what happens to drives, laptops, and paper documents when they're decommissioned - Test by requesting to see an active destruction process or walk through a recent media disposal event

The assessor is specifically checking that: - Your written procedures specify approved methods by media type - You can demonstrate those procedures were followed with records - Staff who perform or authorize destruction know the procedures

Pull your media sanitization procedure, your asset inventory, and your destruction logs together before the assessment. If you use a third-party destruction vendor, have the most recent certificates of destruction organized and ready.

---

The rule of thumb: if you can't prove it was destroyed, your assessor will assume it wasn't. Document every step.