The Cybersecurity Maturity Model Certification (CMMC) is part of a broader effort by the Department of Defense to strengthen how sensitive information is protected across the defense supply chain. The DoD finalized the CMMC rule in late 2025, and it’s being phased into new contracts over the next few years. As this happens, organizations—including many that have supported defense programs for years—are starting to see CMMC language show up in solicitations, subcontractor agreements, and compliance questionnaires.
The goal isn’t to create a new burden—it’s to raise the baseline. For more than a decade, organizations working with the DoD were expected to follow NIST SP 800-171, but compliance was largely self-attested. Reviews showed inconsistent implementation, gaps in documentation, and in some cases, a lack of awareness about how widely Controlled Unclassified Information (CUI) was being handled. CMMC formalizes the expectation and adds verification so protections are applied consistently across the supply chain.
Understanding what falls under CMMC starts with understanding what CUI is and how it moves through an organization.
What Controlled Unclassified Information Really Is
CUI is government-related information that isn’t classified but still shouldn’t be publicly released. Many organizations handle it as part of their normal workflow, even if they haven’t labeled it as CUI.
This can include:
- technical drawings and CAD models
- engineering specifications
- production and tooling details
- test results, research information, and quality data
- maintenance and repair information
- export-controlled data
- certain program, scheduling, or financial documents
- anything a prime contractor or government agency has marked as CUI
If information like this is stored, transmitted, or processed on your systems, CMMC becomes relevant, regardless of company size.
Who CMMC Applies To
CMMC applies to a wide range of organizations—not just prime contractors. It reaches manufacturers, engineering firms, MSPs and IT providers, software and cloud services, logistics and warehousing groups, universities, research institutions, and professional service providers. In many cases, organizations several layers down in a subcontracting chain are affected.
Inside those businesses, responsibility for implementing CMMC often sits with IT teams, security leads, operations managers, and contract administrators.
How CMMC Works
CMMC Level 2 is the level most organizations in our region will encounter. It aligns directly with the 110 security requirements in NIST SP 800-171. These cover everything from access control and authentication to logging, encryption, incident response, configuration management, vendor oversight, and media protection.
CMMC doesn’t change the technical expectations. It reinforces them by requiring consistency, documentation, and evidence.
Key Areas Organizations Typically Focus On
As organizations begin reviewing their environment for CMMC alignment, a few topics tend to come up early.
- Understanding where CUI lives: CUI can appear in places such as email, shared drives, CAD stations, ERP systems, cloud platforms, backups, laptops, and portable devices.
- Authentication and access: Multi-factor authentication is required anywhere users access CUI. Roles and permissions should reflect who needs access—not organizational convenience.
- Remote work considerations: If employees can access CUI offsite, the protections need to follow the data, not the building.
- Vendor involvement: Cloud platforms, MSPs, and third-party tools connected to CUI-bearing systems must meet certain requirements or provide documentation showing how they protect data.
- Policy alignment: Assessors look for alignment between “what is written” and “what is practiced.” Policies should reflect real operations.
Why Media Sanitization Matters in CMMC
Media sanitization is a relatively straightforward requirement, but it’s often overlooked. When a device that may contain CUI reaches end-of-life—whether it’s a laptop, SSD, server, phone, USB drive, or a piece of network equipment—CMMC expects the organization to follow the sanitization guidance outlined in NIST SP 800-88 Rev. 1.
This includes:
- using approved sanitization or destruction methods
- restricting access to authorized personnel
- avoiding uncontrolled storage areas
- tracking each device from removal to final disposition
- retaining documentation of the sanitization or destruction
This requirement is manageable once treated as a documented, repeatable process.
Common Gaps Organizations Identify
As organizations dig into their CMMC readiness, they tend to uncover the same types of gaps. Inventories don’t always capture every system that stores or processes CUI, and multi-factor authentication or role-based access might be in place for some areas but not consistently applied everywhere. Log retention is sometimes shorter than required, and media disposal practices can vary from site to site. It’s also common to find older equipment sitting in storage without safeguards, or backup processes that lean on unmanaged endpoints.
These aren’t unusual findings—they simply point to where clearer procedures and more consistent execution can make a significant difference.
A Practical Approach to Moving Forward
Organizations tend to make the most progress when they take time to understand how CUI moves through their systems, limit the number of places it can show up, strengthen authentication and access where it matters, and make sure documented procedures match what people actually do.
Media sanitization fits into that overall approach by ensuring that sensitive information remains protected all the way through a device’s lifecycle, including when it’s finally taken out of service.
Where SEAM Helps
SEAM supports organizations with the media protection requirements of CMMC and NIST 800-171. That includes sanitization and destruction aligned with NIST SP 800-88 r1, onsite services for equipment that shouldn’t leave the facility, secure facility processing with full chain-of-custody documentation, and C3PAO-reviewed support language for use in your CMMC documentation. SEAM also provides a Customer Responsibility Matrix and SSP-ready sections for media protection controls. All sanitization and destruction work is handled by screened, authorized personnel.
If you’d like access to SEAM’s CMMC documentation packet or want help reviewing your current media handling approach, we’re here when you need us.
Clint Parsons is the Director of Strategy and Information at SEAM, specializing in building partnerships with businesses of all sizes. He ensures clients effectively navigate secure data destruction, responsible recycling, and maximize the resale value of their IT equipment while staying compliant with evolving regulations.