This guide gives a practical, step-by-step approach to implementing media sanitization and destruction for Federal Contract Information (FCI) to meet FAR 52.204-21 and the CMMC 2.0 Level 1 control MP.L1-B.1.VII within the Compliance Framework practice—covering inventory, selection of sanitization methods, verification, documentation, and small-business examples so you can implement defensible processes today.
Implementation overview (how to approach this in Compliance Framework)
Step 1 — Inventory and classification
Start by creating a complete asset inventory that identifies any media that may store FCI: laptops, desktops, servers, SSDs/HDDs, removable media (USB drives, SD cards), mobile devices, optical discs, printed paper, and backup tapes. For Compliance Framework, tag assets with a unique asset ID, owner, location, last known FCI status, and retention justification. A practical spreadsheet (or CMDB entry) should include columns: asset tag, serial/model, media type, storage location, last use date, FCI present (yes/no), and scheduled sanitization/destruction date. This inventory is the foundation for policy, scheduling, and evidence collection required by FAR/CMMC.
Step 2 — Choose the appropriate sanitization method (technical decisions)
Choose methods based on media type and use NIST SP 800-88 Rev.1 recommendations as your technical baseline even for Level 1. For magnetic HDDs, acceptable options include purging (degaussing where effective) or physical destruction. For SSDs and NVMe, use vendor-provided secure erase, NVMe format with cryptographic erase, or full-disk encryption with key destruction—because overwrite patterns used for HDDs are not reliably effective on SSDs. For removable flash (USB/SD), prefer cryptographic erase or physical destruction when reuse is not required. For paper, use cross-cut shredding (industry guidance often recommends 6mm x 50mm or smaller particles for sensitive information) or secure pulping/incineration. Optical media (CD/DVD) and backup tapes typically require physical destruction. Document the method selection decision for each media class in your Control Implementation Plan (CIP).
Step 3 — Execute sanitization/destruction (procedures and tools)
Create written procedures with step-by-step commands and tools for operators. Examples: for SATA HDDs on Linux, use hdparm’s secure-erase workflow (set a temporary password then run --security-erase) or a trusted commercial tool; for NVMe drives use nvme-cli's format options (nvme format) or vendor secure-erase utilities; for drives protected with full-disk encryption, securely delete encryption keys and metadata (cryptographic erase) and verify inability to mount. For physical destruction, work with an approved vendor or maintain an onsite shredder/crusher rated for drives or media types you dispose. Always test procedures in a non-production environment first. Include safety steps (e.g., removing batteries from mobile devices prior to crushing) and environmental/disposal regulatory checks for electronic waste.
Step 4 — Verification, logging, and evidence
Verification is critical for compliance. For each sanitized or destroyed item log: asset ID, serial/model, operator, method used, tool/version, date/time, verification result, and any supporting artifacts (screenshot of tool output, serial-numbered certificate of destruction). For cryptographic erase, retain logs showing key destruction events or tool confirmation; for secure-erase commands save console output or tool-generated reports; for third-party destruction, obtain a signed certificate of destruction (CoD) that includes vendor name, date/time, method, chain-of-custody, list of serial numbers, and witness. Store these records for the contractually required retention period and make them available during audits.
Step 5 — Chain-of-custody and third-party vendors
Maintain a documented chain-of-custody for media moving offsite for disposal: who packaged it, sealed it, transported it, and received it at the vendor. Vet destruction vendors for secure handling, background checks, and compliance with environmental regulations (e-waste). Include contractual SLA terms that require vendor proof of destruction and nondisclosure agreements. For small businesses that can’t afford continuous onsite equipment, a vetted vendor with documented CoDs is often the most cost-effective choice—just ensure you retain the vendor’s evidence in your Compliance Framework artifacts.
Real-world examples and scenarios for a small business
Example 1 — A two-person engineering subcontractor: they store FCI on two laptops and occasional USB drives. Implement full-disk encryption (BitLocker or FileVault) on laptops and require encrypted USBs. When decommissioning a laptop, perform a factory wipe plus vendor secure erase for the drive, verify with tool output, and keep a record. If reuse is not required, contract with a local e-waste vendor to shred drives and obtain a CoD. Example 2 — A small firm with paper invoices containing FCI: place cross-cut shredders in a secure room, limit access, schedule weekly destruction cycles, and log shredded batches with a witness. Example 3 — Backup tapes: maintain a tape inventory, purge tapes per retention schedule, and either overwrite with appropriate tape sanitation tools or use a third-party tape destruction service that provides serial-numbered certificates.
Compliance tips, best practices, and risks of non-implementation
Best practices: enforce a formal retention schedule, minimize the amount of FCI retained, require encryption in transit and at rest so cryptographic erase is possible, train employees on secure handling and disposal, use tamper-evident bags for transporting media, and perform regular audits of your inventory and destruction logs. Technical tips: for SSDs prefer vendor secure erase or cryptographic erase; never rely on simple file delete or reformat. Use sampling verification on larger batches (e.g., randomly test a subset of sanitized drives). The risks of not implementing these controls include data leakage of FCI, contract termination, loss of future government contracting opportunities, legal/regulatory penalties, and reputational harm. A single unsecured disposal event can result in sensitive supply chain or contract data exposure.
Summary: Implementing media sanitization and destruction for FAR 52.204-21 / CMMC 2.0 Level 1 is practical for small businesses when you follow a disciplined process—inventory and classify media, select NIST-aligned sanitization methods, execute tested procedures (technical erasure or physical destruction), verify and retain evidence, and manage chain-of-custody and vendor relationships. Document everything in your Compliance Framework artifacts and include policies, procedures, logs, and certificates of destruction so you can demonstrate compliance during audits or contract reviews.
