← Custodia

How to Destroy CUI Correctly: The Goal, Methods, and Rules (2026)

What the goal of destroying CUI is, and how to do it correctly: the standard of unreadable and irrecoverable, approved methods for paper and digital media (NIST SP 800-88), and how it ties into CMMC Level 2.

By David Fuentes· Compliance Officer, CustodiaJuly 5, 20266 min read

This is one of the most-searched CUI questions, usually because it shows up on a training quiz. The answer is worth understanding for real, not just memorizing, because getting destruction wrong is one of the quiet ways contractors fail a CMMC Level 2 assessment.

The goal of destroying CUI

Destruction is not about tidiness or freeing up space. Its single purpose is to ensure the information can never be recovered. The standard is that CUI must be rendered unreadable, indecipherable, and irrecoverable. If a determined person could reassemble a shredded document or recover a deleted file, the destruction did not meet the standard.

That is why the method matters. The same document destroyed two different ways can either meet the goal or completely miss it.

Destroying paper CUI

For physical documents, approved methods make the paper impossible to reassemble:

  • High-security cross-cut shredding to small particles (a strip-cut shredder is not enough).
  • Pulping that reduces the paper to fiber.
  • Incineration that fully burns the material.

Destroying digital CUI

Digital media is where most contractors slip. Deleting a file, emptying the recycle bin, or quick-formatting a drive leaves the underlying data recoverable. That does not meet the standard.

The authoritative method is NIST SP 800-88, media sanitization, which defines three levels chosen by media type and sensitivity:

MethodWhat it doesWhen to use it
ClearOverwrites data with logical techniquesMedia that stays in your control and will be reused internally
PurgeRenders recovery infeasible even in a lab (e.g. cryptographic erase)Media leaving your control
DestroyPhysically destroys the media (shred, disintegrate, incinerate)End-of-life media, or the highest sensitivity

Keep a record

Whatever method you use, document it. A short record or certificate of destruction, noting what was destroyed, when, how, and by whom, is the evidence that your process actually happened. For CMMC, a policy without evidence counts for little.

The CMMC requirement behind it

Destroying CUI correctly is not optional guidance, it is part of the media protection family of NIST SP 800-171, which makes up part of CMMC Level 2. An assessor will expect a documented sanitization process and evidence that you follow it, for both paper and digital media.

Frequently asked questions

What is the goal of destroying CUI?

The goal of destroying CUI is to make it unreadable, indecipherable, and irrecoverable, so that the information cannot be reconstructed or retrieved by any means once it is no longer needed. Destruction must be thorough enough that recovery is not reasonably possible, whether the CUI was on paper or digital media.

What are the approved methods for destroying CUI?

For paper, use high-security cross-cut shredding to small particles, or pulping or incineration. For digital media, follow NIST SP 800-88 media sanitization: clear, purge, or destroy, chosen by the media type and sensitivity. Simply deleting a file or emptying the recycle bin does not destroy CUI, because the data remains recoverable.

Does deleting a file destroy CUI?

No. Deleting a file or formatting a drive typically leaves the underlying data recoverable, so it does not meet the standard of irrecoverable destruction. Proper destruction of digital CUI requires sanitization methods from NIST SP 800-88, such as cryptographic erase, overwriting, or physical destruction of the media.

Which CMMC requirement covers destroying CUI?

Media protection requirements in NIST SP 800-171, which make up part of CMMC Level 2, require sanitizing or destroying media containing CUI before disposal or reuse. An assessor will look for a documented process and evidence that it is followed, not just a policy on paper.

Do I need a certificate of destruction for CUI?

It is strongly recommended. A record or certificate of destruction, showing what was destroyed, when, how, and by whom, is the evidence that proves your process was followed. For CMMC Level 2, that record is exactly the kind of artifact an assessor expects to see.

Keep reading
  1. CUI
    CUI Basic vs CUI Specified: The Plain-English Difference (2026)

    CUI Basic is the default control level. CUI Specified adds handling rules set by a specific law or policy. Here is how to tell which one you have, and why it barely changes your CMMC obligation.

    Read →
  2. CUI
    Do You Actually Handle CUI? A 5-Minute Self-Check (2026)

    Most small contractors assume they handle CUI and over-scope, or assume they do not and under-comply. Here is the honest 5-minute check that settles it, and decides your CMMC level.

    Read →
  3. CUI
    CUI Marking Guide: Banner Markings, Explained Simply (2026)

    A CUI banner goes at the top of every page and names what the information is and who controlled it. Here is how to read one, how to build one, and the mistakes that fail a CMMC assessment.

    Read →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements, no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual, two months free)