We use cookies on this website. By using this site, you agree that we may store and access cookies on your device Read More Got it!
logo
  • Home
  • Products
    • Secure Drive Wiping SoftwareSecurely Erase Data From HDDs & SSDs in PC, Mac & Server
    • Bulk Drive Erasure Over Network Erase Loose Drives, PC, Laptop & Servers Over A Network
    • Mobile Wiping & Diagnostics Software Erase & Diagnose iOS® & Android® Simultaneously
    • File Eraser SoftwarePermanently wipe files and folders, and erase traces of apps & Internet activity.
  • Solutions
    • Enterprise & SMBWipe hard drives, laptops, desktops, Mac® devices, mobile phones & rackmount storage.
    • Managed Service Provider & SIGlobally trusted data wiping & diagnostic solutions to augment your managed services competences
    • Government Attain Compliance by Securely Erasing Data on HDDs & SSDs in PC, Mac, Laptops, Servers & Mobile Devices.
    • ITAD & Refurbisher Bulk erase loose drives, laptops, desktops, Mac devices, rackmount storage & mobile devices with centralized control.
    • Individual & Home User Safeguard invasion of privacy at the time of disposing old PC, laptop & mobile phone
  • Resources
    • CertificationsBitRaser - Tested & certified by multiple International Bodies
    • Reports & Certficates Tamper proof erasure reports & certificates to help meet audit trails
    • Data Erasure StandardsGlobal erasure standards that help you comply to international laws & regulations
    • Technical Articles Series of articles to help understand data erasure & diagnostics
    • Product FactsheetExplore in-depth details of the features, benefits..
    • Deployment Get instructions on using BitRaser for wiping PC..
    • Case Studies Read Our Customer Case Studies Illustrating The Real-World Usage In Diverse Business Scenarios.
    • Frequently Asked Questions (FAQs) Our Top FAQs That Will Help You Get Answers To Your Questions.
    • Blog Gain Latest Insights Into Data Erasure, Data Protection, Privacy And Regulations.
  • Partners
  • Products

    CASE STUDIES

    The best way to know about our solution is to read our customer case studies illustrating the real-world usage in diverse business scenarios.

    Read All Case Studies

    • Secure Drive Wiping Software
      Securely Erase Data From HDDs & SSDs in PC, Mac & Server
    • Bulk Drive Erasure Over Network
      Erase Loose Drives, PC, Laptop & Servers Over A Network
    • Mobile Wiping & Diagnostics Software
      Erase & Diagnose iOS® & Android® Simultaneously
    • File Erasure Software
      Permanently Wipe Files & Folders, Erase Traces Of Apps & Internet Activity
  • Solutions

    BITRASER® DATA ERASURE SOFTWARE

    Efficient, Easy & Permanent Wiping Of Sensitive Data Across Storage Devices. Guaranteed Data Privacy.

    Learn More

    • Enterprise & SMB
      Wipe Hard Drives, Laptops, Desktops, Mac® Devices, Mobile Phones & Rackmount Storage.
    • Managed Service Provider & SI
      Globally Trusted Data Wiping & Diagnostic Solutions To Augment Your Managed Service Competences.
    • Government

      Attain Compliance by Securely Erasing Data on HDDs & SSDs in PC, Mac, Laptops, Servers & Mobile Devices.

    • ITAD & Refurbisher
      Bulk Erase Loose Drives, Laptops, Desktops, Mac Devices, Rackmount Storage & Mobile Devices.
    • Individual & Home User
      Safeguard Invasion Of Privacy At The Time Of Disposing Old PC, Laptop & Mobile Phone.
  • Resources
    • Product Certifications
      BitRaser - Tested & certified by multiple International Bodies
    • Sample Reports & Certificates
      Tamper proof erasure reports & certificates to help meet audit trails
    • Data Erasure Standards
      Global erasure standards that help you comply to international laws & regulations
    • Technical Articles
      Series of articles to help understand data erasure & diagnostics
    • Product Factsheets
      Explore in-depth details of the features, benefits and specifications of our variants.
    • Deployment
      Get Instructions On using BitRaser for wiping PC, Mac, hard drives, mobile devices & files.
    • Case Studies
      Read our customer case studies illustrating the real-world usage in diverse business scenarios.
    • Frequently Asked Questions (FAQs)
      Our Top FAQs That Will Help You Get Answers To Your Questions.
    • Blog
      Gain latest insights into data erasure, data protection, privacy and regulations.
  • Partners
  • +1-844-775-0101
  • Submit Enquiry

How Permanent Media Sanitization Helps in CMMC Compliance?

  • author image

    Written By Sanjeev Yadav linkdin

  • calender

    Updated on July 18, 2022

  • clock

    Min Reading 3 Min

CMMC Certification is a compliance requirement for all contractors and subcontractors currently working with the Department of Defense. It follows the standards of NIST for cybersecurity readiness and countering the ever-growing threat of Cyberattacks. This article explores the nuances of CMMC and the relevance of Media Sanitization for CMMC compliance.

CMMC media sanitization requirements

Cybersecurity Maturity Model Certification (CMMC) was launched by the Department of Defense (DoD) to ensure the safeguarding of sensitive information by providing an exhaustive structure to protect the Defense Industrial Base (DIB) from ever-increasing and complex cyber-attacks. DIB has been a frequent target of highly complex cyber adversaries and malicious non-state actors. Creating a robust cybersecurity architecture is critical for DoD to safeguard sensitive information from getting into the wrong hands. CMMC is an instrumental framework by the Department of Defense to strengthen the cybersecurity efforts of DIB.

What is CMMC?

CMMC is a Third Party compliance certification that assesses security standards as prescribed in Federal Acquisition Regulation (FAR 52.204-31) and the National Institute of Standards and Technology (NIST SP 800-171 & NIST SP 800-172). The certification is applicable for all Non-Federal entities or civilian organizations (government contractors, suppliers, vendors). It provides guidelines for vendors who process, store, or transmit Controlled Unclassified Information (CUI) and Federal Contract Information (FCI). It is estimated that more than 300,000 contractors working within the DIB in the Department of Defense, National Aeronautics and Space Administration (NASA), and General Service Administration (GSA) would require a CMMC to be eligible for participation in any ongoing or future contract with these federal bodies.

Origins of CMMC:

Initially, the Defense Federal Acquisition Regulation Supplement (DFARS) Clause 252.204-7012 was the standard for all DoD contractors for safeguarding Covered Defense Information and Cyber Incident Reporting. It was updated to NIST SP 800-171 in January 2018, allowing contractors to self-assess their security framework and cybersecurity readiness. The response was underwhelming, to say the least, which prompted the launching of CMMC 1.0 in 2020. Interestingly it required assessment by third-party CMMC organizations (C3PAOs) which was in clear contrast to the earlier policies that didn’t allow 3rd party verification.

CMMC 1.0 contained over 171 controls spread over 5 levels:

Level 1 (Performed): Basic Cyber Hygiene with 17 Practices.

Level 2 (Documented): Intermediate Cyber Hygiene with 72 Practices.

Level 3 (Managed): Good Cyber Hygiene with 130 Practices.

Level 4 (Reviewed): Proactive with 156 Practices.

Level 5 (Optimizing): Advanced with 171 Practices.

CMMC Model 1.0

Level

Model

Assessment

Level 5 Advance

171 Practices

Third-Party

Level 4 Proactive

156 Practices 

None

Level 3 Good

130 Practices 

Third-Party

Level 2 Intermediate

72 Practices 

None

Level 1 Basic

17 Practices

Third-Party


In November 2021, CMMC 2.0 was unveiled which was updated to safeguard sensitive information, helping DIB enhance cybersecurity, to ensure accountability while minimizing the challenges. In comparison to CMMC 1.0, the maturity processes have been removed as well as all CMMC's unique security practices. CMMC 2.0 is an enhanced program by the Department of Defense to strengthen the original data protection goal of CMMC 1.0. The new CMMC framework provides more simplicity by removing barriers to compliance, additional clarity through well-defined directives, and ease of execution. It offers advanced cybersecurity standards as well as third-party assessments for contracting organizations.

CMMC 2.0 has 3 Levels and 110+ controls, which are as follows:

Level 1: It is the foundational level containing 17 controls that apply only to DIB companies processing FCI that are not critical to national security. Level 1 requires DIB companies to self-assess annually.

Level 2: It is the advanced level containing 110 controls that applies to DIB companies that are working with CUI. It is completely aligned with NIST SP 800-171 and requires triennial third-party assessments for critical information (CUI prioritized acquisitions) and annual self-assessment for select programs (CUI non-prioritized acquisitions).

Level 3: It is the expert level containing 110+ controls that apply only to DIB companies processing CUI that are part of DOD's highest priority programs. Its requirements will be aligned with NIST SP 800-172 controls along with 110 controls of NIST SP 800-171. Level 3 would require triennial government-led assessments.

CMMC Model 2.0

Level

Model

Assessment

Level 3 Expert

110+ Practices based on NIST 800-172 

Triannual Government led

Level 2 Advanced

110 Practices aligned with NIST 800-171

Triannual Third-Party and annual self-assessment for select programs

Level 1 Foundational

17 Practices encompassing basic safeguarding requirements specified in Federal Acquisition Regulation (FAR) Clause 52.204.-21

Annual Self-assessment

Media Sanitization Requirements in CMMC 2.0:

CMMC 2 media sanitization requirements


In CMMC 2.0 Media Sanitization requirements have been described under Maintenance controls, Media Protection, and Personal Security that outline the need of Media Sanitization for CMMC compliance as follows:

LEVEL 1 CMMC 2.0 MEDIA SANITIZATION REQUIREMENTS:

1. Media Protection: 

[MP.L1-3.8.3] “Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.”

  • Media Disposal requirement as per section 3.8.3 applies to all system media, digital and non-digital, subject to disposal or reuse. NIST 800-88 guidelines prescribe either shredding or destruction of media physically for disposal or through software-based erasure for reuse. CMMC-compliant data destruction would thus require utilizing NIST-approved software for secure and permanent destruction of data. 

LEVEL 2 CMMC 2.0 MEDIA SANITIZATION REQUIREMENTS

1. Maintenance:

    [MA.L2-3.7.1] “Perform maintenance on organizational systems.”

  • Perform Maintenance: Under section 3.7.1, contractors are required to perform maintenance on organizational systems. Maintenance of systems require CMMC-compliant data destruction of ROT (Redundant, Obsolete & Trivial) data from all media devices. Using secure data erasure techniques contractors can fulfill media sanitization requirements for CMMC compliance.

    [MA.L2-3.7.3] “Ensure equipment removed for off-site maintenance is sanitized of any CUI.”

  • Equipment Sanitization: Under section 3.7.3, contractors must ensure that equipment removed for off-site maintenance is sanitized of any CUI. This requirement can be achieved by implementing NIST 800-88 media sanitization guidelines which employ Clear, Purge & Destroy techniques for CMMC-compliant data destruction. Clearing and purging can be achieved using software-based overwriting techniques thereby fulfilling the media sanitization requirement for CMMC compliance.

2. Personnel Security:

[PS.L2-3.9.2] “Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers.”

  • Personnel Actions: Section 3.9.2 mandates the protection of data before reallocating the media in the event of personnel transfer. Secure and permanent media sanitization with professional data erasure software as discussed above can ensure that every reallocated media can be permanently wiped before reallocation.

Level 3 CMMC compliance standards are yet to be released. We welcome you to visit the CMMC website for more recent updates here.

BitRaser- An Ideal Solution to Meet CMMC 2.0 Media Sanitization Requirements

Data destruction has become an integral part of the security framework in every industry, with ever-evolving data protection laws and compliances coming into force. It can become a daunting task for companies to choose a procedure that not only adheres to their local laws but international compliances as well. NIST 800-88, the most widely employed data destruction method for both classified and non-classified data employs the Clear, Purge & Destroy approach. It covers a huge spectrum of devices and methods to opt for performing secure data sanitization.

BitRaser Data Eraser Software is NIST approved for its data wiping efficacy and adheres to 24 international data erasure standards. In CMMC 2.0, data sanitization is an integral part for meeting compliance, and here BitRaser fits perfectly. The tool not only sanitizes the data by using the best practices of data overwriting but also verifies the result and prepares audit-ready certified reports that comply with NIST 800-88 guidelines for media sanitization. BitRaser wiping solution performs verification of the sanitization process to ensure that all addressable locations have been securely sanitized thereby ensuring CMMC-compliant data destruction. The tool offers a centralized cloud repository of reports for easy access. A software like BitRaser not only ensures Media Sanitization for CMMC compliance but can also be used for all end-of-life data needs, which mitigates the risk of a data breach or residual data fallout.

FAQs

What is CMMC compliance?
CMMC is a third-party compliance certification launched by the Department of Defense (DoD) to safeguard sensitive information within the Defense Industrial Base.
When is CMMC compliance required?
CMMC compliance is required by all contractors of DIB to be eligible for participation in any ongoing or future contract with federal bodies like GSA, NASA & DoD.
Has CMMC 2.0 been released?
In November 2021, CMMC 2.0 was introduced to help DIB enhance cybersecurity, ensure accountability, and minimize challenges. CMMC 2.0 is an enhanced program to strengthen the original data protection goal of CMMC 1.0.
What are the 3 levels of CMMC 2.0?
Level 1: It is the foundational level containing 17 controls that apply only to DIB companies processing FCI that are not critical to national security. Level 1 requires DIB companies to self-assess annually.
Level 2: It is the advanced level containing 110 controls that apply to DIB companies that are working with CUI. It is completely aligned with NIST SP 800-171 and requires triennial third-party assessments for critical information (CUI prioritized acquisitions) and annual self-assessment for select programs (CUI non-prioritized acquisitions).
Level 3: It is the expert level containing 110+ controls that apply only to DIB companies processing CUI that are part of DOD's highest priority programs. Its requirements will be aligned with NIST SP 800-172 controls along with 110 controls of NIST SP 800-171. Level 3 would require triennial government-led assessments.
What are the 5 levels of CMMC 1.0?
Level 1 (Performed): Basic Cyber Hygiene with 17 Practices.
Level 2 (Documented): Intermediate Cyber Hygiene with 72 Practices.
Level 3 (Managed): Good Cyber Hygiene with 130 Practices.
Level 4 (Reviewed): Proactive with 156 Practices.
Level 5 (Optimizing): Advanced with 171 Practices.

BitRaser is NIST Certified

See All Certifications

Related Articles

An Insight into 7 GDPR Data Protection Principles

August 01, 2022

What Is Data Wiping & Why Is It Essential Now More Than Ever?

Dec 02, 2021

Use Of The DoD 5220.22-M Standard For Drive Erasure

Dec 10, 2020


REACH US

Stellar Data Recovery Inc.

48 Bridge Street Metuchen, New Jersey 08840, United States

Call Us

+1-844-775-0101

Email Us

sales@bitraser.com

Follow Us

linkedin youtube

Useful Links

  • About Us
  • Legal Policy
  • Privacy Policy
  • Cookies Policy
  • Sitemap

NEWS AND EVENTS

  • News & Press Release
  • Events

PARTNERS

  • Our Partnership Models
  • Reseller
  • Distributor
  • OEM
  • ITAD

RESOURCES

  • Knowledge Series
  • Technical Articles
  • Knowledge Base
  • Blogs
  • Reports & Certificates
  • Download Brochure
  • Deployment
  • Product FactSheets
  • Case Studies
  • Our Clients
  • Residual Data Study

BitRaser® & Stellar Data Recovery are Registered Trademarks of Stellar Information Technology Pvt. Ltd. © Copyright 2023 Stellar Information Technology Pvt. Ltd. All Trademarks Acknowledged.

ISO Certified
NAID VENDOR
ERN VENDOR

Submit Enquiry

Submit Enquiry

Usage*:     Business   Personal
KOgZA

I understand that the above information is protected by Stellar's Privacy Policy.

iwbUD

I understand that the above information is protected by Stellar's Privacy Policy.

Modal body..
24 Internationally Recognized Erasure Standards
NIST Clear
NIST-ATA Purge
US Department of Defense, DoD 5220.22-M (3 passes)
US Department of Defense, DoD 5200.22-M (ECE) (7 passes)
US Department of Defense, DoD 5200.28-STD (7 passes)
Russian Standard – GOST-R-50739-95 (2 passes)
B.Schneier’s algorithm (7 passes)
German Standard VSITR (7 passes)
Peter Gutmann (35 passes)
US Army AR 380-19 (3 passes)
North Atlantic Treaty Organization-NATO Standard (7 passes)
US Air Force AFSSI 5020 (3 passes)
Pfitzner algorithm (33 passes)
Canadian RCMP TSSIT OPS-II (4 passes)
British HMG IS5 (3 passes)
Zeroes
Pseudo-random
Pseudo-random & Zeroes (2 passes)
Random Random Zero (6 passes)
British HMG IS5 Baseline standard 
NAVSO P-5239-26 (3 passes) 
NCSG-TG-025 (3 passes)  
5 Customized Algorithms & more

Listening...