This post explains how to create a practical, auditable media sanitization policy that satisfies FAR 52.204-21 and CMMC 2.0 Level 1 control MP.L1-B.1.VII, provides templates you can copy, and walks through step-by-step implementation guidance targeted at small businesses working with controlled unclassified information (CUI).
Overview and Compliance Context
FAR 52.204-21 requires basic safeguarding of contractor information systems while CMMC MP.L1-B.1.V.II (media protection / sanitization) expects controlled media to be sanitized or destroyed prior to disposal or reuse; together they create an obligation to ensure data on end-of-life media cannot be recovered. For a small business this means establishing a written policy, defined procedures, recordkeeping, and simple technical controls that demonstrate media containing CUI is rendered unrecoverable before disposal or transfer.
What your Media Sanitization Policy Must Cover
Your policy should be concise but complete: scope (types of media - HDDs, SSDs, mobile devices, USB, optical, backup tapes, cloud snapshots), roles and responsibilities (IT, facility/security, data owners), approved sanitization methods (clear, purge, destroy) mapped to NIST SP 800-88 Rev. 1 guidance, exceptions and approval workflow, verification and logging requirements (sanitization certificate or log entry), third-party vendor requirements, retention of sanitization records, and training requirements. For Compliance Framework alignment, explicitly reference FAR 52.204-21 and MP.L1-B.1.VII in the policy header and include an audit/inspection schedule.
Sample policy clause (template you can copy)
"All IT and removable media that have contained Controlled Unclassified Information (CUI) must be sanitized or destroyed prior to disposal, redeployment, or transfer. Acceptable methods are documented in the Media Sanitization Procedure and follow NIST SP 800-88 Rev. 1. The IT Manager must verify and sign a Media Sanitization Log for each item. Records of sanitization shall be retained for three (3) years and produced on request to demonstrate compliance with FAR 52.204-21 and CMMC MP.L1-B.1.VII." Use that as your policy core and expand with local roles and retention periods.
Step-by-step Implementation Plan (Practical)
1) Inventory: Build a simple inventory of all media types (asset tag, device serial, owner, content type). 2) Categorize: Identify which assets potentially contain CUI. 3) Define method by media type: HDDs = overwrite or secure erase; SSDs = vendor secure-erase or cryptographic erase; removable USBs = overwrite or physical destruction; tapes = degauss or physical destruction; mobile devices = factory wipe + key destruction or physical destruction for end-of-life. 4) Acquire tools/partners: select a certified erasure tool (e.g., Blancco) or contract a local certified asset disposal service for physical destruction. 5) Documentation: use a Media Sanitization Log and Certificate of Destruction template (fields: asset ID, media type, sanitization method, operator, date, witness, verification ID). 6) Training and process enforcement: train IT and facilities staff and require signed receipts before disposal or resale. 7) Audit and continuous improvement: schedule quarterly reviews and one annual verification audit.
Technical Details and Tools (Actionable)
Use NIST SP 800-88 guidance to map methods: "Clear" (logical overwrites, crypto erase) is sufficient for some media but not all; "Purge" (cryptographic erase, block erase, secure ATA Secure Erase) is required when media contains moderately sensitive data; "Destroy" (shredding, crushing, incineration) is used where recovery poses high risk. Practical commands: for SATA HDDs, hdparm --security-erase can perform ATA Secure Erase; for NVMe, nvme format -s 1 (vendor-aware commands) can be used but test in lab first. For SSDs favor vendor secure-erase or full-disk encryption + key destruction (crypto-erase) because overwrites may not reliably sanitize wear-leveled blocks. Avoid DBAN for SSDs. For Windows-managed devices, BitLocker followed by key destruction (remove protector and delete escrowed key) is a fast crypto-erase approach. Maintain hash or unique erasure certificate IDs from your tool to correlate proof in logs.
Small Business Scenarios and Examples
Scenario A: You’re a 20-person subcontractor replacing 10 laptops before a contract change. Process: tag devices, back up CUI to an encrypted repository, perform vendor secure-erase on SSDs (or do BitLocker crypto-erase plus key destruction), record the erasure certificate in the Media Sanitization Log, and only then repurpose or resell. Scenario B: A consultant returns USB drives with CUI—require that they drop devices at a staffed collection point; IT runs an approved overwrite tool or physically destroys the drives and issues a Certificate of Destruction with witness signatures. Scenario C: Cloud backups—identify all snapshots in your cloud account and follow provider guidelines to delete snapshots and associated KMS keys; if you used customer-managed keys, delete keys after confirming data removal to irrecoverably crypto-erase data.
Risks of Not Implementing Proper Sanitization
Failure to sanitize media risks CUI exposure, data breaches, contract noncompliance, financial penalties, loss of DoD contracts, and reputational harm. Even a single sold laptop with recoverable CUI can trigger a reportable incident under FAR 52.204-21, possibly resulting in mandatory notifications, remediation costs, and audit findings in a CMMC assessment. From a technical standpoint, incomplete sanitization allows forensic recovery of sensitive files, which is why documented, repeatable methods and verifiable evidence are essential.
Compliance Tips and Best Practices
Keep it simple, defensible, and evidence-driven: (1) Use a risk-based approach—treat all potential CUI-bearing media as high risk unless proven otherwise. (2) Prefer crypto-erase + key destruction for SSDs where possible—it's faster and well-suited to wear-leveling. (3) Use certified erasure software or accredited disposal vendors and keep certificates. (4) Maintain a tamper-evident collection process and chain-of-custody for off-site destruction. (5) Document exceptions: require written approval and compensating controls. (6) Train staff annually and update the policy when regulations or tools change. For small businesses, outsourcing destruction to a NAID-certified vendor can be more cost-effective than buying specialized tools.
In summary, meeting FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII requires a clear, evidence-backed media sanitization policy that maps media types to acceptable sanitization methods, assigns responsibilities, maintains verifiable logs, and uses appropriate technical tools (e.g., secure-erase, crypto-erase, physical destruction). Use the provided template clauses, follow the implementation steps, and document every sanitization event so you can demonstrate compliance during audits and protect your business from data exposure risks.
