This post explains how to choose tools and methods to sanitize hard drives and mobile devices that contain Controlled Unclassified Information (CUI) to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control MA.L2-3.7.3 — focusing on practical implementation steps, clear decision criteria, sample commands and real-world small-business scenarios so you can create defensible sanitization records.
Understand the requirement and the sanitization taxonomy
MA.L2-3.7.3 requires that media containing CUI be sanitized prior to disposal or reuse. Follow NIST SP 800-88 guidance (Clear, Purge, Destroy) when choosing a method: "Clear" = logical/overwrite methods for reuse within trusted environments; "Purge" = stronger techniques like cryptographic erase or vendor secure erase for disposal or handoff; "Destroy" = physical destruction when media cannot be reliably cleared/purged. For Compliance Framework purposes, document the chosen level for each media type and justify it based on the sensitivity of the CUI and the media's physical and logical characteristics.
Choose methods and tools by media type
Hard disk drives (HDDs)
For magnetic HDDs used in laptops or servers, software overwrites are acceptable when you need to reuse the drive (Clear) and the overwrite method is applied to all addressable locations. Practical, proven tools: GNU dd or shred for single-pass overwrites (e.g., dd if=/dev/zero of=/dev/sdX bs=4M status=progress) or commercial options like Blancco. For ATA drives, hdparm supports ATA Secure Erase (example flow: set a temporary security password, then issue a secure-erase). DBAN is usable for older HDDs but not recommended for SSDs; always capture a certificate/log showing device serial, method, tool version, operator, and timestamp. If the drive will leave your control or is high-sensitivity CUI, prefer Purge-level actions or physical destruction.
Solid-state drives (SSDs) and NVMe
SSDs require different handling: overwriting all logical blocks may not reach remapped or over-provisioned areas, so NIST recommends vendor tools, firmware secure-erase, or cryptographic erasure. Preferred approaches: (1) enable hardware/firmware secure erase (ATA Secure Erase or NVMe Format with secure erase), (2) cryptographic erase — deploy full-disk encryption at device provisioning and destroy the encryption key when sanitizing, or (3) use vendor-supplied utilities (Samsung Magician, Intel SSD Toolbox, vendor cryptographic erase utilities) or validated commercial sanitizers such as Blancco for flash. Example: nvme-cli supports format operations that include secure erase (test on a non-production device and capture logs). Do not rely on multiple passes with dd on an SSD — that is ineffective and increases wear.
Mobile devices (smartphones, tablets, removable media)
Smartphones and tablets typically combine encryption and factory-reset capabilities; a defensible purge for CUI is: ensure device encryption is enabled while in use, remove any activation locks or MDM profiles blocking wipe, then perform a factory reset or issue a remote wipe via MDM (Jamf, Intune, Workspace ONE). For Apple devices, use MDM to "Erase" and then remove from Apple ID/Activation Lock and capture the device UDID and erase confirmation; for Android, confirm File-based or Full Disk Encryption was enabled prior to reset and capture the factory reset/MDM report. SD cards and removable flash should be purged with vendor secure-erase tools or, if physically inexpensive, removed and physically destroyed (shredded/incinerated) when required.
Implementation checklist, processes and recordkeeping
Create a sanitization SOP that ties to your asset inventory and CUI classification: identify media by serial number, owner, and CUI presence; select the sanitization level; run the approved tool/process; verify results; and store a sanitization record. Records should include device make/model/serial, method used (Clear/Purge/Destroy), tool name and version, operator, date/time, verification evidence (logs, hash before/after, certificate of destruction), and chain-of-custody. For third-party vendors (e.g., IT asset disposition firms), require written attestations and certificates of destruction, and validate with periodic audits or sample forensic checks.
Compliance tips, verification and small-business scenarios
Practical tips: (1) bake device encryption into procurement (BitLocker, FileVault, Android FBE) so cryptographic-erase becomes an easy, auditable purge; (2) use MDM to enforce encryption and to issue remote wipes; (3) maintain a short whitelist of approved sanitization tools and require training for operators; (4) periodically test sanitization methods on nonproduction devices and keep test results; (5) add sanitization clauses to vendor and lease agreements. Example scenarios: a small defense contractor retiring 10 laptops can record the serials, perform ATA secure erase or cryptographic key destruction (if disks were encrypted), capture hdparm/nvme or MDM logs, and store COAs for CMMC evidence; another scenario selling used phones should factory-reset only after verifying encryption was enabled and obtaining an MDM wipe report.
Risks of non-compliance and verification techniques
Failing to properly sanitize media that contained CUI risks data exposure, contract violations, disallowed CUI dissemination, loss of facility clearance, regulatory penalties and reputational harm. For verification, perform basic checks such as attempting to mount media, running file-carving tools or strings searches, and performing forensic reads on a sampling of sanitized devices. For high assurance, contract an independent forensic lab to validate a random sample and retain their reports as evidence.
Summary — Select the least-disruptive method that provides the required assurance: document the decision (Clear vs Purge vs Destroy), prefer vendor/firmware secure-erase or cryptographic-erase for flash, use physical destruction when necessary, retain detailed records and COAs, and integrate sanitization into procurement, asset management and MDM workflows so MA.L2-3.7.3 is demonstrably met for NIST SP 800-171 and CMMC 2.0 compliance.
