This post describes a practical, implementable compliance procedure for MP.L1-B.1.VII — the media sanitization and destruction control aligned to FAR 52.204-21 and CMMC 2.0 Level 1 — with step-by-step actions, technical details, templates you can adapt, and verification approaches suitable for small businesses operating under the Compliance Framework.
What the requirement means and the risk of non-compliance
FAR 52.204-21 requires basic safeguarding of covered contractor information systems and information, and CMMC 2.0 Level 1 expects equivalent basic practices to prevent disclosure of Federal Contract Information (FCI). MP.L1-B.1.VII focuses on ensuring that media (laptops, hard drives, USBs, CDs, backup tapes, mobile devices, printed media) that have held FCI are rendered unreadable prior to reuse, disposal, or transfer. Failure to implement effective sanitization and destruction risks exposure of sensitive data, contract penalties, loss of contracts, regulatory scrutiny, and reputational damage — all of which disproportionately harm small businesses with limited incident response capacity.
Practical implementation steps for a Compliance Framework-aligned procedure
Implement this control by building a four-phase process: 1) Inventory & classification, 2) Policy & method selection, 3) Execution & verification, and 4) Recordkeeping & audit. Start by integrating media into your Configuration Management Database (CMDB) or a simple media inventory spreadsheet (serial number, type, owner, location, last use, data classification). Define who is authorized to approve disposal and who performs sanitization (roles: Requestor, IT Destruction Technician, Approver, Auditor). Map media types to approved sanitization methods (e.g., SSDs -> crypto-erase or physical destruction; magnetic HDDs -> overwrite or degauss + destruction for end-of-life).
Technical details — choosing the right sanitization method
Use NIST SP 800-88 Rev. 1 guidance as your technical baseline. For magnetic hard drives, acceptable methods include: single-pass overwrite (often adequate on modern drives per 800-88), DoD 5220.22-M style multi-pass if required by contract, degaussing (if you will not reuse the drive after degauss), or physical destruction. For SSDs and modern NVMe devices, prefer crypto-erase (if the drive is a self-encrypting drive (SED) with verified crypto-erase) or physical destruction — overwriting tools like DBAN are ineffective on many SSDs. For removable media (CD/DVD, tapes, USB sticks), shredding or physical destruction is usually simplest. Provide explicit commands or vendor tools in your procedure (examples: Linux: use "hdparm --security-erase" for ATA Secure Erase where supported; sedutil for unlocking/erasing many SEDs; "shred" is not recommended for most consumer SSDs). If you use third-party sanitization vendors, require their proof of method and certificate referencing NIST 800-88 remediation guidance.
Templates and records to include in your procedure
Embed templates in your procedure so staff can execute consistently. Minimum templates: 1) Media Inventory / Disposal Request (fields: Asset Tag, Serial, Device Type, Owner, Data Classification, Date Requested, Reason for Disposal), 2) Sanitization Method Matrix (maps media type to permitted methods and tools), 3) Sanitization Certificate (fields: Date, Asset Tag, Serial, Method Used, Tool/Model, Technician Name, Verification Evidence — e.g., hash, log ID, photo), 4) Chain-of-Custody / Transfer Form (for third-party vendor: vendor name, pickup date, condition, tracking number), 5) Verification Checklist for auditors (sample size, retention period for certificates). Store completed certificates centrally (PDF copy) and retain for at least the contractually required period — a common small-business practice is 3–7 years depending on contract terms.
Verification, evidence, and audit readiness
Verification should be layered: automated logs from sanitization tools, technician-signed certificates, photographic evidence of destruction (with timestamps and visible serials), and vendor-issued certificates when using outsourced destruction. Implement periodic audits (quarterly or before major contract work) with a sample-based approach: randomly sample 10–20% of completed sanitizations and verify records, or all high-risk disposals (devices that contained FCI). Keep checksums or device IDs prior to sanitization when feasible so you can show linkage between the destroyed item and the record. Include an internal attestation step: IT Manager signs monthly/quarterly statements confirming adherence to the procedure; this is useful evidence for FAR/CMMC assessors.
Small business scenarios and real-world examples
Example A — Two-person software shop: They use full-disk encryption on developer laptops (BitLocker/FileVault) and document destruction by physical decommissioning. For repurposing a laptop, they perform a crypto-erase (disable BitLocker and use vendor recovery followed by OS reinstall), then record the device asset tag and a screenshot of the vendor tool output in a Sanitization Certificate saved to a secure folder. For end-of-life, they hire a local electronics recycler that issues a signed destruction certificate and photos. Example B — Small defense contract supplier with limited IT: They maintain a simple Google Sheet inventory, route disposal requests via email for approval, and require the recycler to provide a chain-of-custody manifest with serial numbers; for small volumes they physically sever SSDs and shred them on-site using a rented shredder, documenting serials and photos.
Compliance tips and best practices
Keep the procedure simple and repeatable: use checklists, pre-approved vendors, and a single "sanitization owner" to avoid ambiguity. Prefer preventative controls: encrypt everything at rest (full-disk encryption) so cryptographic erase is a fast, verifiable option. Train staff annually on the procedure and require that asset tags/serials be recorded before equipment leaves custody. If you outsource, include sanitization/destruction requirements in vendor contracts and require proof of compliance tied to NIST SP 800-88. Finally, maintain a list of forbidden shortcuts (e.g., just deleting files or formatting a drive is not sanitization) in the procedure to prevent inadvertent non-compliance.
Summary: produce a documented, role-based procedure that maps media types to approved sanitization methods (using NIST 800-88 as guidance), collect and retain verifiable evidence (certificates, logs, photos, chain-of-custody), and integrate the process into your Compliance Framework and CMDB; these actions will meet the intent of FAR 52.204-21 / CMMC 2.0 Level 1 MP.L1-B.1.VII while reducing real business risk. Implementing the templates and verification steps above gives small organizations a practical, auditable path to compliance.
