CMMC ‘Level 1, Media Protection’ & ‘Level 3, Maintenance’ Requirements—and How DoD Contractors Can Prepare

Sep 21, 2021 Blog Article

A phased rollout of a new U.S. Department of Defense acquisition framework affects all potential defense contractors. To comply with the Cybersecurity Maturity Model Certification (CMMC) framework, contract hopefuls must demonstrate the soundness of their cybersecurity practices to a third-party assessor.

When it comes to Levels 1 and 3, CMMC documents reference NIST 800-88 Media Sanitization Guidelines—making Blancco’s audit-ready data erasure processes and reports great assets in your CMMC certification.

Brian Cooley

Brian Cooley Senior Channel Manager Brian Cooley has over 30 years of industry experience in technology and government applications. He’s worked with many leading technology companies, including Verizon, Brocade, and Unisys, on a wide range of government-related IT and network projects for both civilian and DoD customers. He’s based in the Washington, D.C., area and is a CMMC-AB Registered Practitioner.

In this Article

What is the Cybersecurity Maturity Model Certification (CMMC)?

“CMMC is designed to provide increased assurance to the Department that a DIB (Defense Industrial Base) company can adequately protect sensitive unclassified information….”

CMMC FAQs 

Broadly speaking, the U.S. federal government generates two types of information: classified and unclassified. Of the vast stores of unclassified information, federal contractors and subcontractors handle both

To combat threats against this Department of Defense (DoD) information, the Office of the Under Secretary of Defense for Acquisition and Sustainment created a certification framework that verifies your ability as a DoD contractor or subcontractor to protect the federal data you handle.

This framework consists of five successively more advanced cybersecurity levels that measure your business’s “cybersecurity maturity.” It covers 171 cybersecurity best practices and forms the basis of Cybersecurity Maturity Model Certification (CMMC).

To become certified at any of the five levels, your cybersecurity processes and practices must be evaluated by an Authorized and Accredited CMMC Third-Party Assessment Organization (C3PAO). Upon passing, the CMMC-AB (Accreditation Body) issues your CMMC certificate.

What are the CMMC requirements?

Previous DoD contractor requirements

If your company has provided products or services to the Department of Defense or related agencies previously, the cybersecurity requirements themselves are not new—for the most part, CMMC is based on the existing FAR clause for “Basic Safeguarding of Covered Contractor Information Systems,” and the DFARS clause for “Safeguarding Covered Defense Information and Cyber Incident Reporting.*

The DoD has also historically required compliance with NIST 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations” for many projects (110 of these NIST requirements are included in CMMC Level 3), along with other sources and standards.

New DoD contractor requirements

But CMMC’s five levels, the third-party assessment, and the mandatory certification that proves compliance raise the standard for establishing cybersecurity trustworthiness during DoD acquisitions: self-assessments are no longer enough—and that includes practices related to sanitizing digital storage media.

The 5 CMMC levels

Cybersecurity Maturity Model Certification v 1.02 (PDF) explains each level of maturity, starting with Level 1. Each level of the model builds on the previous, incorporating sets of processes and practices that reinforce a particular focus:

LevelProcessesPracticesFocus
Level 1PerformedBasic Cyber HygieneSafeguard FCI
Level 2DocumentedIntermediate Cyber HygieneTransition step in cybersecurity maturity progression to protect CUI
Level 3ManagedGood Cyber HygieneProtect CUI
Level 4ReviewedProactiveProtect CUI and reduce risk of Advanced Persistent Threats (APTs)
Level 5OptimizingAdvanced/ProgressiveSame as Level 4, Protect CUI and reduce risk of Advanced Persistent Threats (APTs)
Hierarchy of CMMC Levels of Maturity

Organizations must show how they institutionalize the practices within their organization and how they implement the practices at each level to be certified at that level or higher.

That means ALL DoD contractors and subcontractors must, at minimum, be CMMC certified at Level 1—and Level 1 includes media sanitization.

What does CMMC Level 1 require for media protection?

CMMC Level 1 requires that your contracting or subcontracting business perform ALL the safeguarding practices outlined in the FAR clause, 48 CFR 52.204-21, “Basic Safeguarding of Covered Contractor Information Systems,” including requirement VII, “Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.”

A sanitized device will have no recoverable, usable data, even with the assistance of advanced forensic tools.

Because reformatting, “wiping” and even encryption may not be enough to protect all data, NIST 800-88, “Guidelines for Media Sanitization” provides three ways of dealing with end-of-life data: Clear, Purge, and Destroy:

Related Article: [Overview] Data Sanitization in the Modern Age: DoD or NIST?

At Level 1, you must be able to demonstrate how you perform data sanitization (as well as the other safeguards) across any information system you own or operate that “processes, stores, or transmits” FCI.  

While ad hoc practices are acceptable at this level, required data sanitization covers any number of types of data storage media within your information system: PCs and laptops, Macs, loose drives (including advanced SSDs), mobile devices, servers, and more. This means that whatever tool you use must be robust enough to handle all of your media storage devices and any situations that require targeted file or folder erasure.

Furthermore, data removal must be verified. This can be proven with a digitally signed erasure report that attests to the erasure method used and verification of that erasure.

What does CMMC Level 3 require for media sanitization?

The data destruction requirement for Level 3 CMMC is: Ensure equipment removed for off-site maintenance is sanitized of any CUI.

This ensures that media storage devices, including severs, hard drives, computers, and mobile devices are not breach-vulnerable even during points of external maintenance or repair.

Note that for this level of certification, not only must you document your processes (Level 2), you much also “establish, maintain, and resource a plan” showing how you manage implementation, including communications and staff trainings. Incorporating Blancco’s automated data erasure with customizable reporting capabilities ensures that operators are skilled up quickly, that erasure occurs on time and without error, and that end-of-project sanitization can be executed and accounted for seamlessly, providing audit-ready material for your CMMC assessment.

“The aggregate loss of Controlled Unclassified Information (CUI) from the DIB sector increases risk to national economic security and in turn, national security. In order to reduce this risk, the Department has continued to work with the DIB sector to enhance its protection of CUI in its unclassified networks.”

CMMC FAQs

How to prepare for CMMC Level 1 & Level 3 sanitization requirements

Every business seeking a contract with the DoD and its related agencies must prove competency in sanitizing all hardware used to store or process FCI and CUI, either at the end of first use (Levels 1–5) or for off-site maintenance (Levels 3–5). Note that, according to the CUI Program Blog, “[A]ll CUI in possession of a government contractor is FCI, but not all FCI is CUI.”

For the U.S. federal government, NIST 800-88 is the “go-to” standard for achieving data sanitization.

Blancco’s world-leading data erasure solutions are the most advanced in the industry, and achieve complete software-based media sanitization according to both NIST Clear and NIST Purge techniques, and they do so across the widest range of data storage media, from mobile devices to Macs, PCs, and laptops, to loose drives, servers, and network devices.

For a list of commonly used methods that do NOT achieve data sanitization, read What is Data Sanitization?

By harnessing automation, API integrations, and a centralized console for data erasure reports, Blancco fortifies your cybersecurity best practices by verifying all erasures. Blancco solutions also make the media sanitization process cost-effective and repeatable for you and transparent to auditors and assessors—all critical elements in easing your path to CMMC certification.

Learn more

To learn more about how Blancco data erasure solutions can support CMMC media protection requirements, contact us or sign up for your free Enterprise Data Erasure Trial.

A qualified Blancco representative familiar with the CMMC framework will walk you through the requirements and how our solutions fit in.


* “FAR” stands for Federal Acquisition Regulation. This is the primary regulation followed by executive agencies when procuring supplies and services. It includes solicitation and contract requirements. “DFARS” is the Defense Federal Acquisition Regulation Supplement to FAR and is administered by the DoD.

U.S. Defense Contractors:
Request Your Free Data Sanitization Trial Here

Experience secure, auditable, CMMC-compliant data erasure software.

Related Reading