Companies that need to comply with CMMC to earn their governmental contracts have a lot of work ahead of them. Securing their systems against intrusion and protecting data from breaches, malicious actors, and snooping is all part and parcel of the program.
One aspect of information security that can be distressingly easy to overlook is disposal.
- When you replace outdated computers, what happens to the old hardware and data on it?
- When you update documents, what happens to old hard copies?
- When data is no longer useful, or you’re no longer allowed to have it (such as if a contract is revoked), how is the data destroyed?
Protecting CUI and FCI isn’t just about when it’s in your possession; it’s about ensuring that it never leaves your possession, outside of legitimate channels.
Fortunately, even if your company hasn’t thought it through, the government has, and has produced a framework relevant to the need: NIST SP 800-88.
BLUF - Bottom Line Up Front
BLUF - Bottom Line Up FrontCompanies need to comply with CMMC to secure government contracts, focusing on securing systems, protecting data, and sanitizing media. NIST SP 800-88 provides guidelines for media sanitization, including clearing, purging, and destroying data on various media types. Improper sanitization risks losing contracts and certifications, facing legal penalties, and damaging reputation. Businesses should analyze their environments to develop proper sanitization protocols, ensuring compliance and protecting sensitive information. Media sanitization includes handling both physical and digital media effectively.
What is NIST 800-88?
NIST SP 800-88 is simply “Guidelines of Media Sanitization”. It’s essentially a sub-document of the overarching NIST information security controls. NIST SP 800-53 encompasses everything you could think of in cybersecurity and infosec, including sanitization. NIST SP 800-171 is derived from it and focuses on protecting specific data; similarly, FedRAMP is built on it and focuses on cloud infosec. CMMC is based on NIST SP 800-171.
All of these, then, reference the same baseline requirements to sanitize data and control what information leaves your ecosystem through disposal channels. In order to maintain consistency across all of these, the government developed NIST SP 800-88 as the standardization for sanitization.
NIST SP 800-88 was originally published in 2006. It was revised into Revision 1 in 2014, and recently, Revision 2 was released in September 2025. You can read that current document here.
Does CMMC Require NIST 800-88?
Yes.
CMMC places media protection as a Level 1 requirement.
MP.L1-3.8.3 – Media Disposal
Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.
Level 2 has even more information about it.
Determine if:
[a] system media containing CUI is sanitized or destroyed before disposal; and
[b] system media containing CUI is sanitized before it is released for reuse.
Though CMMC doesn’t specifically tell you that NIST SP 800-88 is the relevant document, it does reference NIST SP 800-171, which itself directs you to 800-88 for media sanitization requirements.
Why is Media Sanitization Important?
Information currently in use or stored in your systems is an obvious target, but often, it’s an easier vector of attack to simply go “dumpster diving” after the fact. Even if the information is outdated, it can still be relevant and useful to scammers or for fraudulent activities.
This isn’t an unwarranted fear, either.
For example, there are numerous instances in recent years where healthcare systems have disposed of hard drives without properly sanitizing them first. Those hard drives, when recovered or purchased on the secondary market, can be viewed to recover protected health information from patients. Hundreds of thousands of patient records have been exposed to date.
Another big-name instance of improper sanitization comes from Morgan Stanley back in 2020; they shut down two data centers in 2016 and hired a vendor to destroy the data on the devices used. That vendor didn’t properly wipe the drives, and in 2019, a recycler discovered unencrypted data present on drives from those data centers.
Obviously, CMMC requiring media sanitization is also a big part of the equation.
What Are the Penalties for Improper Media Sanitization?
A lot.
If you have CMMC for federal contracts, and you’re found to have been improperly sanitizing media, you can lose your contracts and your certification immediately. That alone can be devastating to a business, and that’s before you get into breach of contract penalties and repercussions from the DoD.
Legal ramifications can also follow. Depending on where you operate, the data you expose could put you under fire from privacy protection laws like HIPAA or the GDPR, as well as various state-level and industry-level regulations. These can and do frequently result in very steep financial penalties.
Even beyond legal and financial penalties, a business found to be improperly handling information loses a lot of trust and reputation, which makes it harder to continue doing business. Even if you fix the root of the issues, you’re likely to lose contracts to competitors who haven’t proven unsafe in the past.
And all of that doesn’t even speak to what could happen with the data itself. Depending on the kind of data that is compromised, it can fuel identity theft, loss of trade secrets and intellectual property, and in some cases, even governmental secrets and other protected information that can put lives at risk.
What Media Needs to be Sanitized?
One issue that we commonly encounter is thinking of media sanitization in terms of data, rather than the media itself. This is a similar problem to the one faced in scoping; instead of figuring out where data flows and rests and securing that, it’s worth constructing a more limited flow to reduce threat surfaces and shrink the scope of necessary security.
With media sanitization, it’s not about figuring out which pieces of data need to be destroyed when they leave your ecosystem; it’s about figuring out what pieces of media (physical papers, hard drives, etc.) have had that data on them, and sanitizing them.
From discussion in NIST SP 800-171, you can see this more clearly.
“This requirement applies to all system media, digital and non-digital, subject to disposal or reuse. Examples include: digital media found in workstations, network components, scanners, copiers, printers, notebook computers, and mobile devices; and non-digital media such as paper and microfilm.”
Media can refer to anything that stores or handles data in a way that can possibly retain it. Paper and hard drives are the common examples, but tapes, discs, photos, CDs and DVDs, phones, and other devices all count as well. Even office appliances you might not think of as capable of storing information can do so. Many modern printers have drives that store items to be printed, which means they can have that data extracted, and thus need to be sanitized.
While CMMC’s requirements only say that media should be sanitized if it contained FCI or CUI, many businesses find other reasons to sanitize media as well. Health and personal information need to be sanitized due to HIPAA requirements. Business information, like HR and financial documents, should be sanitized to protect business operations.
Many businesses simply find that sanitizing much of what leaves their ecosystem, regardless of the content of it, is a good practice.
What Does NIST SP 800-88 Specify?
NIST 800-88 is a 48-page document in its latest revision, so for obvious reasons, we’re not going to reproduce the whole thing here. You can read it for free directly, anyway. But we can go through and summarize the most relevant details. Make sure to use the actual document for your business, and not our summary, though.
Defining Types of Media
One of the first things 800-88 does is define the two kinds of media.
The first is hard copy media. This is physical representations of information, the archetypal printout of a controlled document. They elaborate that this category can include a lot of different kinds of media, including microfiche, film, printer ribbons, and other physical items. If it can be fished out of a dumpster and read on the spot, it’s hard copy, more or less.
The second is ISM, or Information Storage Media. This is media that stores digital representations of controlled information, the 1s and 0s of code. Hard drives, solid state drives, RAM, discs, memory, and other devices all constitute ISM.
They also mention the distinction between volatile and non-volatile ISM. Computer RAM that only retains its contents when it’s powered and in use, but stores nothing when the power is cut, isn’t as important as a focus of sanitization as more permanent storage media like hard drives.
Describing the Three Tiers of Sanitization
Another section of NIST 800-88 is the description of the three tiers of sanitization. The lower the tier, the less thorough the sanitization tends to be, so the greater the risk it poses to release with just that level of sanitization. That doesn’t mean you have to go full tier-three on everything, but it does mean that different media need to be treated at different levels.
Tier 1: Clear. Clearing is the process of rendering data inaccessible through normal means. Overwriting data on a hard drive, deleting it from a flash drive, and factory resetting a workstation; these clear data. But the data isn’t necessarily gone, just harder to access through normal means. Someone plugging a cleared hard drive into their computer isn’t going to immediately access the data. However, these systems generally don’t remove the data; they just remove access to it.
A metaphor would be a library; deleting the card catalog doesn’t render the books inaccessible, just makes it harder to find the specific ones you’re looking for.
Tier 1 is useful for internal reuse of media. You can purge a flash drive and reuse it within your business, and that’s still protected enough.
Tier 2: Purge. The second tier uses specialized tools to make it unlikely or impossible to recover data. Using a piece of software to “zero out” a hard drive, or a degausser to purge the magnetic storage, can render it infeasible to recover the data. While some highly advanced techniques can still potentially recover this data, it’s financially and motivationally unlikely for all but extremely interested nation-states to go through that effort.
Tier 2 is useful for external reuse of media. If you decommission a data center, you can purge all of the drives and resell them to recoup some cost, rather than losing all of that hardware investment.
NIST 800-88 also includes some discussion of encryption as a purge mechanism. Sufficiently encrypted data, when the keys are destroyed, can be effectively purged. 800-88 goes into detail on this, with the added requirement that encryption must be FIPS-140 standard or better for it to work.
Tier 3: Destroy. The third tier uses physical destruction techniques to render the media inoperable beyond the point of recovery. Multi-stage shredding for paper documents, pulverizing machines to crush hard drives, or incineration to render the media into its component carbon atoms are all part of this tier.
Tier 3 is, obviously, only suitable when the media can’t be reused.
Tips on Implementing Proper Media Sanitization Protocols
The other major aspect of NIST SP 800-88 is a lot of tips and guidance on how to develop and implement media sanitization protocols. They are not prescriptive with it; it’s up to you to determine what security level for what frameworks you need to meet, what kinds of data need to be protected, what media needs to be sanitized, and how that sanitization needs to be handled.
What the document does is give you various considerations to bear in mind that may influence your decision-making. It’s all basically scoping again, for when media leaves your ecosystem.
The key to it all is simply determining the flow of information and media, and making sure you have policies in place to properly handle media as it leaves, for whatever purpose it’s leaving.
Our Ignyte Assurance Platform can help here, as it can with all compliance efforts. Given that the implementation of media sanitization is part of compliance, tracking it all within the platform is easy. To see how we can help, schedule a call to see a demo in action today.
Truly, the hardest part of compliance with NIST SP 800-88 is putting the initial thought into tracking, scoping, and determining which level of sanitization is relevant for any given piece of media. But, since sanitization has benefits beyond just being aligned with CMMC, businesses need to put a lot of that thought into practice regardless.
Either way, proper media sanitization is required in today’s information-driven world, so getting it right isn’t optional. Documents like NIST 800-88 can help, but there’s no substitute for analyzing your own environments and media for what needs to be done and how.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.