This post gives hands-on guidance for small businesses and contractors on selecting and operating sanitization tools that satisfy FAR 52.204-21 and CMMC 2.0 Level 1 (MP.L1-B.1.VII) requirements—covering when to use degaussing, when to overwrite or crypto-erase, and when to choose physical destruction, plus practical implementation steps, documentation, and examples.
Understand the requirement and map media to methods
MP.L1-B.1.VII is a media protection control focused on ensuring that removable and fixed media containing Controlled Unclassified Information (CUI) or similar covered contractor information are sanitized before reuse, transfer, or disposal. Start by inventorying all media types in scope (HDDs, SSDs, NVMe, USB flash, external drives, backup tapes, optical media). Map each media type to one of three NIST-style outcomes: Clear (logical data removal such that data is not retrievable using standard access methods), Purge (more robust removal such that data recovery is infeasible with state-of-the-art techniques), or Destroy (physical destruction to prevent any future use). Compliance Framework-specific implementation notes: document the mapping in your media sanitization SOP and reference it in your System Security Plan (SSP) and procedures so assessors can verify method-by-media pairing.
Degaussing: when it's appropriate and what to check
Degaussing basics and applicability
Degaussing is effective for magnetic media—spinning hard disk drives (HDDs) and magnetic tapes—but it is NOT effective for SSDs, USB flash, or optical media. For small businesses that still use backup tape libraries or retire HDD arrays, degaussing is a fast purge method when performed with a properly rated degausser. Key technical details to verify: the degausser's output (measured in Oersted or Gauss) must meet or exceed the coercivity rating of the media, and the vendor should provide calibration and test logs. Example: a typical enterprise degausser will specify a minimum field strength (e.g., 2,500–12,000 Gauss) and provide certification of field strength calibration annually—include that certificate in your sanitization records.Overwriting and crypto-erase: practical instructions for drives and flash
Choose the right method by media
For magnetic HDDs, an overwrite (Clear) using an approved erasure tool is acceptable if you can verify the erasure. Modern guidance (NIST SP 800-88 Rev.1) allows a single-pass overwrite on many drives; however, for compliance with FAR/CMMC, use a validated tool that produces tamper-evident logs (e.g., Blancco, WhiteCanyon) or documented open-source tools with verification steps (e.g., nwipe combined with hash validation). For SSDs and NVMe, prefer vendor-provided Secure Erase, ATA Secure Erase / NVMe Format (cryptographic erase), or full-disk encryption with crypto-erase — overwriting SSDs is ineffective due to wear-leveling. Practical technical details: use manufacturer Secure Erase utilities or certified erasure products that support ATA and NVMe commands; if using full-disk encryption (BitLocker, FileVault, LUKS), ensure encryption keys are irreversibly destroyed and maintain key-destruction logs as evidence. For USB flash drives, prefer secure erase utilities for the controller if available; otherwise treat as requiring physical destruction if CUI was present.Physical destruction: standards and vendor selection
When media cannot be reliably cleared or purged (e.g., unknown SSD controllers, damaged drives, or legacy media), physical destruction is the defensible option. Define acceptable destruction methods in your SOP: shredding (particle size 2 mm x 12 mm or smaller for media containing CUI is common), crushing (physical platters destroyed), degaussing+shredding for tapes/HDDs, and incineration for some optical media. For small businesses, contract with an NAID AAA-certified vendor for on-site destruction or locked-chain-of-custody pickup; request Certificates of Destruction (CoD) and retain them for contract audits. Example scenario: a small defense subcontractor retiring 50 mixed SSD/HDD units should segregate by media type, run vendor Secure Erase where supported, and send all remaining SSDs for shredding, capturing CoDs and a photographed inventory manifest.
Implementation steps and checklist for small businesses
Actionable checklist you can implement this week: 1) Build a media inventory and classify CUI-bearing items; 2) Update your SSP and SOP to map each media type to a sanitization method (Clear/Purge/Destroy); 3) Procure or contract tools: certified erasure software, degausser (if you still use tapes/HDDs) or a NAID-certified destruction vendor; 4) Train staff and assign chain-of-custody responsibilities; 5) Execute test erasures and keep logs/hash verifications and CoDs; 6) Include sanitization events in your configuration management and audit logs. Technical tip: maintain a sandbox for testing vendor Secure Erase or ATA/NVMe commands against representative hardware to validate results before running on production inventory.
Compliance tips, evidence collection, and common pitfalls
For FAR 52.204-21 and CMMC Level 1, auditors expect documented procedures, evidence of execution, and demonstrable controls. Maintain: SOPs, media inventory with classification, per-media sanitization decision records, tool/vendor certificates (NAID, NIST listings, vendor validation), erasure logs with hashes or serial numbers, calibration records for degaussers, and Certificates of Destruction. Common mistakes: treating overwriting as sufficient for SSDs, relying on consumer-grade "file delete" utilities, failing to log chain-of-custody, and not validating vendor claims. Tip: adopt a 3rd-party certified tool or vendor for high-risk media and keep photographic evidence and signed CoDs for each batch to simplify audits and help defend against contractor liability.
Risk of non-compliance and practical mitigation
Failure to properly sanitize media risks CUI exposure, contract violations, monetary penalties, loss of DoD and federal contract eligibility, and reputational damage—risks that disproportionately hurt small businesses. Mitigate by prioritizing affordable controls: use full-disk encryption from day one (reduces need for costly sanitization on disposal), maintain a simple but complete inventory, and budget for occasional third-party destruction services. Practical example: encrypting laptops with BitLocker and retaining key escrow reduces disposal risk—if a drive is lost during transit, data is still protected and the sanitization process becomes simpler (crypto-erase or physical destruction of a sealed encrypted drive).
In summary, meet MP.L1-B.1.VII by inventorying media, selecting the method appropriate to the media type (degauss for magnetic media, secure erase/crypto-erase for SSDs, physical destruction when in doubt), using certified tools or vendors, documenting every sanitization event, and baking these steps into your Compliance Framework artifacts (SSP, SOP, audit evidence). These practical steps will help a small business minimize risk and demonstrate compliance during FAR and CMMC assessments.
