CUI media is wiped or destroyed before disposal or reuse.
What it actually means
Before a drive, laptop, USB, or paper containing CUI leaves your control or gets reused, it must be sanitized or destroyed so the CUI can't be recovered. Deleting files isn't enough — use proper sanitization (NIST 800-88 methods) or physical destruction.
Pass or fail — an assessor needs a "yes" to each
- A media sanitization/destruction process exists (NIST 800-88-aligned).
- It's applied before disposal or reuse, to all media types (incl. paper).
- Sanitization/destruction is documented.
What to have ready
- Media sanitization policy/procedure
- Certificates of destruction / sanitization records
- Equipment or vendor used
Where teams trip up
- Selling/recycling old drives without sanitizing
- 'Delete' or quick-format treated as sanitization
- Forgetting paper, copiers, and printers
See where this control puts your score
Run all 110 requirements free in about 10 minutes.
Calculate your SPRS score →