If your small business handles Federal Contract Information (FCI), implementing a repeatable, auditable process to sanitize or destroy media is critical to meet FAR 52.204-21 and the CMMC 2.0 Level 1 control MP.L1-B.1.VII — this post gives a practical 7-step checklist, technical options, examples, and compliance tips you can implement today.
Why this matters: compliance context and what FCI means
FAR 52.204-21 requires contractors to safeguard FCI; CMMC 2.0 Level 1 includes basic cyber hygiene controls such as media protection (MP.L1-B.1.V.II / MP.L1-B.1.VII depending on mapping). FCI is unclassified information provided by or generated for the government under a contract. The objective is simple: when media that stores FCI is no longer required, you must sanitize or destroy it in a way that prevents data recovery. For compliance frameworks, that means documented policies, approved methods (clear/purge/destroy per NIST SP 800-88 Rev. 1), and evidence of execution.
7-Step checklist (high-level)
Implement this checklist as part of your Compliance Framework practice. Below each step includes implementation notes, technical guidance, and small-business examples you can adapt.
Step 1 — Inventory and classify media
Action: Maintain an asset and media inventory with media type (HDD, SSD, NVMe, USB, SD card, backup tape, paper), owner, last known data class (FCI or not), and disposition status. Implementation note: integrate with your asset management system (spreadsheets are acceptable for very small shops but must be controlled and backed up). Real-world example: a 12-person IT services company tags every laptop, external drive, and ISO image with an asset tag and a column "Contains FCI: Y/N". If FCI was ever present, treat the media as FCI for disposition.
Step 2 — Select method based on media type and NIST guidance
Action: Map sanitization options to media types using NIST SP 800-88 Rev. 1 categories: Clear (logical techniques), Purge (more aggressive, e.g., cryptographic erase or degauss), Destroy (physical). Implementation note: SSDs and NVMe devices require different approaches than magnetic HDDs — multi-pass overwrites (e.g., DoD 5220.22-M) are not reliable for SSDs. Technical details: for HDDs use block-level overwrite tools (vendor or Blancco); for SSD/NVMe prefer vendor Secure Erase, ATA Secure Erase (hdparm --security-erase), NVMe sanitize commands, or cryptographic erase if full-disk encryption (FDE) was used. For removable flash and tapes, use vendor-supported sanitize commands or certified shredding. Small-business scenario: before redeploying an employee laptop, IT enables BitLocker (or FileVault), then performs a crypto-erase (destroy the key) and documents the action; for drives to be destroyed, IT sends them to an R2/NAID-certified vendor.
Step 3 — Prepare, isolate, and protect chain of custody
Action: Move media to a controlled quarantine area and create chain-of-custody documentation (who handled it, date/time, device serial/asset tag). Implementation note: restrict physical access, lock the quarantine cabinet, and use signed handoffs if multiple staff are involved. Example: a small defense subcontractor keeps a locked evidence box and a paper/electronic log that must be signed before media are moved to a vendor for destruction.
Step 4 — Execute sanitization/destruction with verified tooling
Action: Run the chosen sanitization operation or physically destroy media. Implementation note: use certified tools for overwriting (e.g., Blancco), vendor Secure Erase, or FDE crypto-erase. If using physical destruction, use an accredited vendor that provides Certificates of Destruction (CoD) or retain photos and a COE (Chain of Evidence). Technical tips: avoid DBAN for SSDs (it's designed for HDD overwrite); use vendor firmware secure-erase or validated cryptographic-erase procedures. For physical destruction, specify particle size standards if required by contract (e.g., shred to < 2mm for magnetic media if tighter security is mandated). Example: a 7-person contract firm uses a local NAID-certified vendor for shredding retired hard drives and receives a CoD that they store in the asset record.
Step 5 — Verify and validate the result
Action: Confirm sanitization/destruction succeeded before closing disposition. Implementation note: for logical sanitization, run validation scans or check firmware sanitize status; for third-party destruction, verify vendor logs and CoD. Technical details: sample validation can include attempting to mount the device in a controlled environment and checking for recoverable file headers or reading device sanitize status registers (SMART/firmware). For crypto-erase, validate that the device key ID is removed or that attempts to read blocks fail. Small business example: the IT lead attempts to boot a sanitized drive in a lab VM; failing to mount confirms the operation; they photograph the device and attach the verification result to the asset record.
Step 6 — Recordkeeping, labeling, and retention of evidence
Action: Update the asset/media inventory with disposition method, operator, verification, date, and CoD (if applicable). Implementation note: retain records for the period defined by your contracts and corporate retention policy (often at least 3–6 years for government contracts). Keep signed logs, screenshots of tool output, serial numbers, and CoD PDFs in your compliance folder or GRC tool. Best practice: link records to contract IDs and include them in any Supplier/Prime audits.
Step 7 — Final disposition and update controls/policies
Action: Move sanitized media to reuse, recycle, or destruction finalization and update policies and training. Implementation note: if media is repurposed, ensure a new asset entry and that the receiving user signs acceptance. Update your SOP and the Compliance Framework practice documents with lessons learned (e.g., tool failures or vendor issues). Example: after a quarterly review, a small contractor updates its SOP to require FDE on all new laptops so future disposal can leverage crypto-erase, reducing cost and risk.
Risks of non-implementation and compliance tips
Failing to implement these steps exposes you to data leakage of FCI, contract breaches, loss of contracts, audit findings, and reputational harm. For small businesses, a single lost USB drive with FCI can trigger a mandatory report and significant remediation costs. Compliance tips: (1) codify the 7-step checklist in an SOP and train staff annually; (2) prefer FDE from day one so "crypto-erase" becomes the primary purge method; (3) require certificates and SLAs from destruction vendors and verify NAID/R2 accreditation; (4) run quarterly audits of the inventory and disposition logs; and (5) include sanitization actions in your evidence bundle for government audits or prime contractor reviews.
Summary: Implementing a 7-step destroy/sanitize checklist — inventory/classify, map methods to media, quarantine, execute using appropriate tools, verify, document, and finalize — gives small businesses a practical path to meet FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII. Use NIST SP 800-88 as your technical baseline, prefer cryptographic erase for flash/SSD where possible, engage accredited vendors for physical destruction, and retain clear records to demonstrate compliance during audits or contract reviews.
