Sanitizing media before reuse, transfer, or disposal is a simple control that prevents inadvertent disclosure of Covered Contractor Information (FCI) and supports Compliance Framework requirements such as FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII; this post shows how to build a practical media sanitization policy, includes a checklist you can use today, and provides a starter template tailored for a small business environment.
What this requirement means (practical overview)
At its core the requirement is straightforward: ensure media that may contain FCI (or other regulated data) is rendered unrecoverable before it leaves controlled custody or is repurposed. For Compliance Framework implementations this typically maps to establishing policy scope, assigned responsibilities, approved sanitization methods, verification/recordkeeping, and training so your organization can demonstrate that sanitization actually occurred and was effective.
Key elements to include in your media sanitization policy
Your policy should be concise and actionable. At minimum include: scope (what qualifies as media: HDDs, SSDs, removable flash, optical, backup tapes, mobile phones), roles & responsibilities (IT, asset owner, contract security officer), classification and decision rules (when to sanitize vs. destroy), approved sanitization methods mapped to media type, verification and acceptance criteria, chain-of-custody and documentation requirements (COF, certificate of destruction), approved vendors (NAID AAA or equivalent), training requirements, and review/update cadence—these elements let auditors and contracting officers quickly validate compliance.
Media Sanitization Checklist (quick reference)
- Inventory all media assets (serial, model, owner, data classification)
- Classify media: FCI present? CUI? Public?
- Decide disposition: reuse internal, transfer, recycle, physical destroy
- Select sanitization method per media type (see policy table)
- Execute sanitization and record method, operator, date/time, verification hash or tool output
- Retain evidence (logs, photos, certificate of destruction) in central repository
- Train staff on procedures and using approved tools
- Use chain-of-custody for third-party pickups and require COA/CoD
Implementation steps and real-world examples for a small business
Step 1: Build a one‑page process and an asset register. For a 15-person defense subcontractor, create an Asset Register spreadsheet listing device type, owner, serial number, last user, and classification. Step 2: Label devices on intake with a unique tag and record into the register. Example: when upgrading laptops, the IT admin tags decommissioned machines with "SAN-2026-001", moves them to a secure wipe station, and records the sanitization method and output hash in the register.
Technical sanitization methods—what to use for each media type
Use NIST SP 800-88 Rev.1 concepts: Clear (logical techniques), Purge (deleting keys or using secure erase), Destroy (physical destruction). Practical mappings: for HDDs use multiple-pass overwrite (or single-pass zeroing where NIST permits) and verify by reading sectors after wipe; for SSDs prefer vendor ATA Secure Erase, NVMe Format, or cryptographic erase (delete encryption keys on a self‑encrypting drive) because overwrites may not reliably sanitize flash; do not rely on DBAN for modern SSDs. For mobile devices use factory reset plus cryptographic key destruction for encrypted devices or physical destruction if required. Example commands (use with caution and test in lab): hdparm --security-erase for ATA drives, nvme format /dev/nvme0n1 -s 1 for NVMe, and for BitLocker drives use key destruction / manage-bde commands to remove protectors and then perform crypto-erase—document the outputs as evidence.
Verification, documentation, and vendor selection
Verification is the evidence auditors want: log file outputs from wipe tools, screenshots or terminal output, hash comparisons where relevant, and a Certificate of Destruction (CoD) for physical destruction. If using third-party destruction, use vendors with NAID AAA or SOC 2 reports and require a signed CoD and chain-of-custody form that includes serial numbers. Retain this evidence according to your contract requirements (often at least the length of the contract or as specified by the contracting officer). Risk of poor vendor management: unrecorded or incorrectly destroyed drives are a top cause of data breaches and contract compliance failures.
Compliance tips and best practices
Make media sanitization easy: encrypt drives at first use (FDE/BitLocker or FileVault) so that crypto‑erase is an option—this can dramatically simplify disposal (delete keys and record that action). Automate the inventory and logging process with an asset management tool or scripts that capture serial numbers and wipe tool output into a central evidence repository. Train staff annually and include sanitization in onboarding/offboarding checklists. Finally, map your policy to Compliance Framework control IDs and keep a one-page crosswalk for auditors showing where evidence lives (e.g., Asset Register → evidence folder path → sample CoD file name).
Starter policy template (copy, edit, and use)
Policy Title: Media Sanitization & Disposal Policy Scope: All media (HDD, SSD, removable, optical, tape, mobile devices) that may contain FCI or regulated information. Roles: IT Manager (owner), Asset Owner (data owner), Security Officer (oversight), External Vendor (if used). Sanitization Methods: - HDD: Overwrite with approved tool or vendor-certified purge; verify with read-back or tool log. - SSD/NVMe/Self-Encrypting: Use vendor Secure Erase/NVMe Format or cryptographic erase; document method and evidence. - Mobile Devices: Factory reset + key destruction or physical destruction if required. Documentation: All sanitizations must include asset ID, serial, date, operator, tool and version, output/log, and final disposition. Store evidence in /evidence/media_sanitization/. Third-party: Require NAID AAA (preferred) and signed Certificate of Destruction with serial numbers. Review: Annual review and update; immediate update upon tech changes (e.g., new SSD types).
Failing to implement a media sanitization policy exposes your business to data breaches, loss of contracts, regulatory fines, and reputational damage—especially when handling FCI in government contracting. A short written policy, paired with an asset register, approved technical procedures, verification outputs, and a vendor CoD requirement, will satisfy auditors and dramatically reduce operational risk. Start small: encrypt new devices now, build an inventory, and implement a single validated wipe procedure for each media type.
