ClearRecord automates NIST SP 800-88 file-level sanitization on operational workstations handling Controlled Unclassified Information, deleting individual aged files while drives remain in service, with tamper-evident audit logs and destruction certificates for CMMC Level 2 assessments.
The requirement
CMMC 2.0 Phase 2 deadline: November 2026. Approximately 99% of the 76,598 contractors in the Defense Industrial Base have not yet been certified. Level 2 certification requires demonstrating compliance with all 110 NIST SP 800-171 practices, including media sanitization.
The Cybersecurity Maturity Model Certification (CMMC) 2.0 requires defense contractors handling Controlled Unclassified Information (CUI) to implement media sanitization controls. These requirements flow from NIST SP 800-171 and DFARS 252.204-7012:
During a CMMC Level 2 assessment, assessors will look for documented media sanitization procedures, evidence that those procedures are followed consistently, and audit records proving proper disposal. ClearRecord provides all three automatically.
Requirements mapping
| CMMC / NIST 800-171 control | How ClearRecord addresses it |
|---|---|
| MP.L2-3.8.3 Media Sanitization | NIST SP 800-88 Rev. 2 Clear-level sanitization: zero-overwrite + FlushFileBuffers for HDDs, cryptographic erase via BitLocker for SSDs. Automated on retention expiry. |
| AU.L2-3.3.1 System Auditing | Every sanitization event logged in tamper-evident hash-chained audit database. 3-year log retention (CMMC pack default). Logs cannot be altered without breaking the chain. |
| AU.L2-3.3.2 Audit Record Content | Each record includes: event type, timestamp, workstation hostname, username, filename, file size, sanitization method, result (success/failure), and cryptographic hash linking to previous record. |
| SC.L2-3.13.1 Boundary Protection | All agent-to-hub traffic encrypted with mutual TLS. Hub only accessible on internal network. Air-gap mode makes zero external calls. |
| AC.L2-3.1.1 Access Control | Role-based access (Admin/Manager/Viewer). PBKDF2-HMAC-SHA256 authentication. Deactivated users ejected within 5 minutes. |
| Assessment evidence | Destruction certificates document every sanitization event with CMMC-specific CUI media sanitization language, NIST 800-88 method citations, and authorized signatory attestation. |
For defense contractors
Enterprise plan supports fully air-gapped networks. No internet required. Zero external calls verified via Wireshark. License validation handled offline via signed license file.
CMMC destruction certificates use CUI-specific attestation language referencing NIST SP 800-171 MP.L2-3.8.3, DFARS 252.204-7012, and NIST SP 800-88 Rev. 2.
ClearRecord detects BitLocker status per drive and applies the correct sanitization method. Warns administrators when unencrypted drives are found containing monitored folders.
Hash chain integrity verification, PDF/A-2b archival certificates, workstation inventory, and policy snapshots. Everything a CMMC assessor needs in one package.
Common questions
ClearRecord addresses media sanitization requirements at CMMC Level 2 (Advanced), which requires compliance with all 110 NIST SP 800-171 practices. Specifically, ClearRecord implements the MP.L2-3.8.3 (Media Sanitization) control and supports the AU.L2-3.3.1 (System Auditing) control by maintaining tamper-evident audit logs of all sanitization events.
Yes. ClearRecord is designed for air-gapped deployments. When the license file has no refresh URL, the Hub makes zero external network calls. The entire system runs on your internal network with no internet dependency. Air-gap mode is available on Enterprise plans.
CMMC 2.0 Phase 2 requires Level 2 certification for contractors handling CUI by November 2026. As of early 2026, approximately 99% of the 76,598 contractors in the Defense Industrial Base have not yet been certified.
ClearRecord monitors designated folders on each workstation. Files that exceed the configured retention period are securely deleted per NIST SP 800-88 Rev. 2: zero-overwrite with FlushFileBuffers verification for HDDs, cryptographic erase via BitLocker for SSDs. Every deletion is recorded in a tamper-evident audit log and can be documented with a destruction certificate.
No. ClearRecord runs entirely on your network. No filenames, deletion logs, or CUI data ever leave your premises. In air-gap mode, the Hub makes zero external calls of any kind. Even in standard mode, the only external communication is a monthly license validation call that contains no CUI or operational data.
Contact us to schedule a demo. We will walk you through setup for your defense environment.
Request a Demo