GRCWatch
Sign inStart free trial

CMMC MA.L2-3.7.3: Equipment Sanitization for CUI Protection

Controlled Unclassified Information (CUI) left on equipment sent for off-site maintenance creates significant breach risk. CMMC Level 2 control MA.L2-3.7.3 requires your organization to sanitize all equipment of CUI before maintenance, repair, or disposal. This control is essential for contractors handling sensitive government data.

What this means

Equipment sanitization ensures that any device leaving your organization for maintenance, repair, or decommissioning is completely purged of Controlled Unclassified Information. This includes laptops, servers, storage devices, printers, and any hardware that may have processed or stored CUI. The sanitization must occur before the equipment leaves your facility to prevent unauthorized access to sensitive information by third-party service providers or maintenance personnel.

How to comply

  1. 1.Document all equipment that will be removed for off-site maintenance, including asset type, serial number, and current CUI status
  2. 2.Establish sanitization standards for different equipment types, following NIST SP 800-88 or manufacturer guidelines
  3. 3.Implement data wiping or destruction procedures appropriate to the storage medium (HDD secure erasure, SSD formatting, or physical destruction)
  4. 4.Verify sanitization completion through certified tools or third-party validation before equipment leaves the facility
  5. 5.Maintain records documenting what equipment was sanitized, when, by whom, and what method was used
  6. 6.Include sanitization requirements in contracts with third-party maintenance providers
  7. 7.Establish a chain of custody process for equipment requiring maintenance to track CUI removal

Evidence auditors look for

  • Equipment sanitization policy document defining procedures for all device types
  • Sanitization verification reports from certified wiping software (e.g., DBAN, Eraser)
  • Third-party sanitization certifications from approved maintenance vendors
  • Equipment inventory log with sanitization status and dates
  • Chain of custody forms showing equipment movement before maintenance
  • Maintenance request forms requiring sanitization sign-off before off-site transfer
  • Records of sanitization tool updates and validation testing

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates equipment maintenance tracking and sanitization verification by creating audit-ready documentation workflows that capture sanitization evidence before equipment leaves your facility, eliminating manual record-keeping and assessment readiness gaps.

See how GRCWatch handles this control automatically

Start free trial

Related controls

MA.L1-3.7.1 — Timely MaintenanceMA.L2-3.7.2 — Remote Maintenance LoggingSI.L1-3.14.1 — Information and Information System SecurityAC.L1-3.1.1 — Access Control Policy