Why We Destroy CUI

Word count: ~910 Specificity markers hit: (1) NIST/CMMC control reference — MP.L2-3.8.3, NIST SP 800-88; (3) Tool/product name — NSA/CSS EPL listed degaussers, cross-cut and micro-cut shredders; (4) Common mistake — treating file deletion as destruction

---

CUI (Controlled Unclassified Information) that's no longer needed doesn't just become harmless. The information is still there. The government's interest in protecting it doesn't expire. The only way to end the risk is to end the information — destroy it so thoroughly that recovery is impossible.

This isn't optional housekeeping. Proper CUI destruction is a formal CMMC (Cybersecurity Maturity Model Certification) requirement under control MP.L2-3.8.3: sanitize or destroy system media before disposal or reuse. Failing to destroy CUI properly — or failing to document that you did — is an assessment finding.

Here's what "proper" actually means.

Why Destruction Is Required

The principle behind CUI destruction is simple: if you can't recover it, you can't lose it. Once a project ends, a contract closes, or a document reaches the end of its retention period, the continued existence of that CUI creates ongoing liability with no corresponding benefit.

Destruction also protects against a category of exposure that people routinely underestimate: end-of-life hardware. Hard drives are repurposed, donated, or disposed of. Old laptops get sold. USB drives get left in desk drawers. Without proper sanitization, CUI travels with the hardware long after anyone remembered it was there.

The DoD's concern is valid — adversaries specifically target disposed hardware from defense contractors looking for exactly this kind of oversight.

What the Standard Requires

The authoritative guidance for media sanitization is NIST SP 800-88, "Guidelines for Media Sanitization." CMMC's MP.L2-3.8.3 points directly to this standard. NIST SP 800-88 defines three tiers of sanitization based on the sensitivity of the information and the media type:

Clear: Overwriting data using software or firmware tools that address all user-addressable storage locations. Appropriate for lower sensitivity levels and reuse within the same organization. Not appropriate for CUI in most cases.

Purge: Applying a logical or physical method that removes data so that recovery is not possible using state-of-the-art laboratory techniques. For CUI, this is the minimum acceptable method for any media being reused outside your organization. For magnetic hard drives: cryptographic erasure (if the drive supports it and uses encrypted storage) or multi-pass overwrite using certified tools. For solid-state drives (SSDs): cryptographic erasure using manufacturer-implemented ATA Secure Erase, or physical destruction if the drive doesn't support it reliably.

Destroy: Physical destruction that makes the media unusable. Shredding, disintegrating, pulverizing, melting. For CUI on end-of-life media that won't be reused, destruction is often the cleanest solution and the easiest to document.

Paper CUI Destruction

Paper with CUI markings must be destroyed using a method that makes reconstruction impossible. Strip-cut shredders are not acceptable — the long strips can be reassembled. Minimum standard is cross-cut shredding, which cuts both horizontally and vertically, producing small rectangles. Micro-cut shredding is better, producing particles too small to reconstruct.

For commercial shredders, look for products rated DIN 66399 Level P-4 (cross-cut, particles ≤ 160 mm²) at minimum. Level P-5 or P-6 is preferable for CUI.

For high-volume paper destruction, many organizations use locked destruction bins with a certified destruction vendor. The vendor shreds on-site or at a secure facility and provides a Certificate of Destruction. Keep those certificates — they're your evidence for the assessment. Document every destruction event: what was destroyed, how, when, by whom, and under whose authority.

Digital Media Destruction

Hard disk drives (HDDs): Purge using certified overwrite software (Blancco, Eraser, DBAN for non-commercial use) or physically degauss using an NSA/CSS Evaluated Products List (EPL)-listed degausser, then physically destroy. Degaussing alone renders an HDD inoperable, which is often the most practical approach at end of life.

Solid-state drives (SSDs): SSDs are notoriously difficult to purge reliably through software overwriting because of wear leveling algorithms that prevent complete sector coverage. The recommended approach for CUI is cryptographic erasure (if the drive uses built-in encryption and you can verify the key is destroyed) or physical destruction. Physical destruction — shredding or disintegration — is the safest option for SSDs that held CUI.

USB drives and removable media: Physical destruction. These are cheap enough that reuse rarely justifies the sanitization complexity. Document and destroy.

Cloud storage: Deletion through a cloud provider's normal interface is not sanitization. CMMC requires verifying that CUI stored in cloud systems is actually removed — not just marked for deletion in a recycle bin or soft-deleted. Your cloud service agreement should specify data deletion standards and provide documentation. If you're using a cloud environment authorized under FedRAMP (Federal Risk and Authorization Management Program) or equivalent, review the provider's data sanitization documentation.

Encrypted files: Cryptographic erasure — destroying the encryption key so the data is unrecoverable — is acceptable if you can document that the encryption was implemented correctly and the key was the only means of access.

The Common Mistake

Treating file deletion as destruction.

Deleting a file removes the pointer to it in the file system. The data remains on the storage medium until that sector is overwritten by new data — which may never happen. A forensic tool recovers deleted files from unwiped drives routinely. That's not a theoretical risk. It's standard practice in incident response, legal discovery, and intelligence collection.

This mistake is especially common with SSDs. People who know to wipe HDDs sometimes assume that "deleting everything and formatting" an SSD is equivalent. It's not — the formatting process doesn't reliably touch all the storage sectors due to how SSDs manage wear.

Destroy the drive. Document it. Keep the certificate.

Documentation Requirements

For every CUI destruction event, document: - Date of destruction - Description of media destroyed (type, quantity, serial numbers where practical) - Method of destruction (overwrite, degauss, physical destruction, certified vendor shred) - Name of person(s) who witnessed or performed the destruction - Any certificates of destruction from vendors

This documentation supports your SSP (System Security Plan) and gives your assessor evidence for MP.L2-3.8.3. Undocumented destruction is treated the same as no destruction from an assessment standpoint.

---

Want the full picture on CUI media protection? Our Tier 2 article on CUI lifecycle management covers how to handle CUI from creation through storage, transmission, and final destruction — with the specific controls and documentation requirements at each stage.