If your small business handles Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), FAR 52.204-21 and CMMC 2.0 Level 1 Control MP.L1-B.1.VII require that you protect information on media when it is retired or disposed — and that often means sanitizing or destroying hard drives, SSDs, and mobile media in a way that renders data unrecoverable. This post gives practical, implementable steps, technical details, real-world small-business scenarios, and compliance tips to help you meet these obligations reliably and defensibly.
Understanding the requirement
FAR 52.204-21 establishes basic safeguarding requirements for contractor information systems, and CMMC 2.0 Level 1 adds specific media protection expectations (MP.L1-B.1.VII) around handling and disposing of media that may contain FCI/CUI. The core objective is simple: when media leaves your control (retirement, resale, recycling, destruction), you must ensure the data cannot be reconstructed. For Compliance Framework implementation, map this control to an SOP that defines media inventory, categorization (FCI/CUI vs. non-sensitive), acceptable sanitization methods per media type, verification and recordkeeping (chain of custody and certificate of destruction), and staff responsibilities.
Sanitization methods and when to use them
NIST SP 800-88 Rev.1 provides the industry-standard model: Clear (logical or software-based sanitization), Purge (more aggressive, e.g., cryptographic erase or degaussing), and Destroy (physical destruction). Choose the method based on media type, your risk tolerance, and contractual requirements. For Compliance Framework practice, document acceptable methods per media class, and require purge or destroy for any media that contained CUI unless the media will remain under continuous control in a secure, auditable environment.
Hard disk drives (HDDs)
For magnetic HDDs, common options are: software overwriting (Clear) for low-sensitivity FCI when documented and verified; degaussing (Purge) using a certified degausser for drives that cannot be reused; or physical destruction (Destroy) if you will not retain the drive. If you choose overwriting as a method, follow documented patterns (multiple passes are rarely necessary if using government-approved tools, but must be validated), and maintain logs showing the utility, command, and successful completion. For a defensible purge, a commercial degausser from a reputable vendor plus verification with a magnetometer or acceptance testing is standard. If you destroy, use a purpose-built shredder or disintegrator and retain Certificates of Destruction (CoD) and a manifest that lists serial numbers or asset tags.
Solid-state drives (SSDs) and NVMe
SSDs present different challenges: wear leveling and over-provision areas make overwriting ineffective. Acceptable approaches are crypto-erase (if the drive is full-disk encrypted and the key is securely destroyed), ATA Secure Erase (via vendor utilities or hdparm for SATA with documented procedure), or NVMe secure erase / format commands using vendor tools or nvme-cli (consult the drive vendor for the correct secure-erase parameters). If you do not have a reliable cryptographic-erase implementation or vendor-secure erase is unavailable/untrusted, physical destruction (shredding, disintegrating, incineration of storage chips) is required. Document the chosen technique, include vendor guidance in your SOP, and retain verification records (tool logs, vendor attestations).
Mobile media (smartphones, tablets, USB sticks, SD cards)
Mobile devices and removable flash media need special handling: modern smartphones often use hardware-backed encryption — a factory reset plus secure key destruction may be acceptable if you can verify the device used full-disk encryption and the reset actually wiped keys. For removable flash (USB, SD), prefer crypto-erase or secure erase utilities where available; otherwise physically destroy the memory chips. A practical small-business rule: any removable media that held FCI/CUI should be pulped or shredded by a certified vendor or physically destroyed on-site (chip crushing or disintegrators) and recorded in your disposal log.
Implementation steps for a small business (practical SOP)
Keep it simple, repeatable, and auditable: 1) Inventory and classify: tag assets with unique IDs and record whether they ever contained FCI/CUI. 2) Decide sanitization method per media class: map HDD→(clear/purge/destroy), SSD→(crypto-erase/vendor secure erase/destroy), mobile→(factory reset+crypto-erase/destroy). 3) Train personnel and restrict who can perform sanitization. 4) Execute sanitization using documented tools (e.g., hdparm for ATA Secure Erase, vendor NVMe utility, certified degausser, or physical shredder). 5) Verify success (tool exit codes, sample forensic checks, or vendor CoD). 6) Record chain of custody and retain destruction certificates for the contractually required retention period. Include a fallback that escalates to physical destruction if any step is uncertain.
Real-world scenarios and examples
Example 1: A 10-person engineering firm retiring laptops that held FCI. They use full-disk encryption (BitLocker) on all devices; their SOP requires backup and removal of keys from their key management system and then run a factory reset plus vendor secure-erase where available. For any device where they cannot verify encryption/key destruction, they schedule physical shredding and get a CoD from the vendor. Example 2: A small subcontractor replacing USB test sticks — because the sticks are cheap and have held FCI, they send batches to a certified media destruction vendor for shredding and keep manifests; this is cheaper than implementing a secure erase process for individual sticks and reduces risk.
Risks of not implementing proper media destruction
Failing to properly sanitize or destroy media risks data recovery by attackers, insider misuse, or accidental disclosure during resale/recycling. Consequences include breach notification obligations, federal contract penalties, loss of future contracts, reputational damage, and extended incident response costs. From a compliance perspective, auditors will expect policies, evidence of sanitization, and retained records — lacking those can cause immediate findings and contract non-compliance.
Compliance tips and best practices
Adopt a few practical controls: require full-disk encryption for all endpoints (reduces risk and supports crypto-erase), maintain a simple media inventory and destruction log, use vendor-supplied secure-erase tools for NVMe/SATA when possible, prefer certified third-party destruction vendors for bulk disposals, and automate evidence collection (scripted secure-erase logs, signed CoDs). Maintain an SOP that references NIST SP 800-88 guidance and your chosen tools. Periodically sample destroyed media (forensic verification on a subset) to validate procedures and append those results to your compliance evidence package.
Summary: Implementing MP.L1-B.1.VII is straightforward if you create a clear SOP mapped to media types (HDD, SSD, mobile), use appropriate sanitization methods (clear/purge/destroy per NIST guidance), document and verify each destruction event, and keep chain-of-custody and destruction certificates. For small businesses, the most practical path is to combine full-disk encryption, vendor secure-erase tools where supported, and certified physical destruction for any media where secure erase or verification isn’t possible — all recorded in an auditable log to demonstrate FAR and CMMC compliance.
