MA.L2-3.7.3 · NIST SP 800-171 3.7.3

Equipment Sanitization

Ensure equipment removed for off-site maintenance is sanitized of any CUI.

1 point if not metPOA&M eligible1 assessment objective

What an assessor scores, the objectives

MA.L2-3.7.3 is met only when every one of these 1 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.equipment to be removed from organizational spaces for off-site maintenance is sanitized of any CUI

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For MA.L2-3.7.3, an assessor uses these:

Examine

System maintenance policy; procedures addressing controlled system maintenance; maintenance records; manufacturer or vendor maintenance specifications; equipment sanitization records; media sanitization records; system security plan; other relevant documents or records

Interview

Personnel with system maintenance responsibilities; personnel with information security responsibilities; personnel responsible for media sanitization; system or network administrators

Test

SELECT FR OM: Organizational processes for scheduling, performing, documenting, reviewing, approving, and monitoring maintenance and repairs for systems; organizational processes for sanitizing system components; mechanisms supporting or implementing controlled maintenance; mechanisms implementing sanitization of system components

What it means, in context

This requirement addresses the information security aspects of system maintenance that are performed off- site and applies to all types of maintenance to any system component (including applications) conducted by a local or nonlocal entity (e.g., in- contract, warranty, in-house, software maintenance agreement). NIST SP 800-88 provides guidance on media sanitization.

Sanitization is a process that makes access to data infeasible on media such as a hard drive. The process may overwrite the entire media with a fixed pattern such as binary zeros. In addition to clearing the data an organization could purge (e.g., degaussing, secure erasing, or disassembling) the data, or even destroy the media (e.g. , incinerating, shredding, or pulverizing). Performing one of these activities ensures that the data is extremely hard to recover, thus ensuring its confidentiality. For additional guidance on which specific sanitization actions should be taken on any specific type of media, review the description of the Purge actions given in NIST SP 800-88 Revision 1 – Guidelines for Media Sanitization. Example You manage your organization’s IT equipment. A recent DoD project has been using a storage array to house CUI . Recently, the array has experienced disk issues. After troubleshooting with the vendor, they recommend several drives be replaced in the array. Knowing the drives may contain CUI, you reference NIST 800 -88 Rev. 1 and determine a strategy you can implement on the defective equipment – processing the drives with a degaussing unit [a] . Once all the drives have been wiped , you document the action and ship the faulty drives to the vendor. Potential Assessment Considerations • Is there a process for sanitizing (e.g., erasing, wiping, degaussing) equipment that was used to store, process, or transmit CUI before it is removed from the facility for off-site maintenance (e.g., manufacturer or contracted maintenance support) [a]?

What passing evidence looks like

The sanitization step in your equipment disposal and offsite repair process: drives wiped or removed before anything leaves, with a record per event.

Common ways contractors fail MA.L2-3.7.3

  • !Offsite repair is the forgotten path: a laptop sent to a vendor with CUI on disk fails this. The rule is sanitize first or remove the drive, and the record proves it happened.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove MA.L2-3.7.3, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

MA.L2-3.7.3 questions, answered

How many points is CMMC requirement MA.L2-3.7.3 worth?+

MA.L2-3.7.3 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.

Can MA.L2-3.7.3 be placed on a POA&M?+

Yes. A gap on MA.L2-3.7.3 can be deferred to a Plan of Action and Milestones, provided your overall score is 88 or better and the item closes within 180 days.

What family does MA.L2-3.7.3 belong to?+

MA.L2-3.7.3 is in the Maintenance (MA) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.7.3