Media sanitization and destruction is a deceptively simple control in the Compliance Framework: at CMMC 2.0 Level 1 (mapped to FAR 52.204-21) you must ensure that any media that previously contained Federal Contract Information (FCI) or similar sensitive information is rendered unrecoverable before reuse, transfer, or disposal — and you must be able to demonstrate that process to an assessor.
What this control requires and key objectives
The key objective of MP.L1-B.1.VII is to prevent unauthorized disclosure of FCI by ensuring media is sanitized or destroyed using methods that match the media type and residual risk. For assessors you will need: (1) documented policies and procedures aligned to the Compliance Framework and NIST SP 800-88 (Media Sanitization), (2) an up-to-date media inventory, (3) records of sanitization or destruction actions (logs, certificates, photos), and (4) training evidence showing staff understand and follow the process.
Step-by-step implementation for a small business
Start with a media inventory: list all storage types (laptops, desktops, HDDs, SSDs, USB drives, mobile phones, backup tapes, SD cards, printers/hard-drive-equipped MFPs, cloud storage). Tag items with asset IDs and track owner and location. Next, adopt a concise sanitization policy that maps each media type to an approved method (e.g., crypto-erase for encrypted SSDs, NIST-approved secure erase for ATA/NVMe devices, degauss or shredding for magnetic media, physical destruction for end-of-life SSDs where secure erase isn't feasible). Ensure the policy references the Compliance Framework and NIST SP 800-88 as the authoritative technique-selection guidance.
Media types and recommended technical methods
Use specific techniques matched to the media: 1) Magnetic HDDs: use full-disk overwrite (e.g., diskpart clean all or "shred" style overwrites) or degaussing followed by physical destruction; 2) SSDs/NVMe: prefer device-supported secure-erase (hdparm --security-erase for ATA, nvme sanitize/format for NVMe) or cryptographic erase if whole-disk encryption (BitLocker/FileVault) was used and keys are securely destroyed; 3) Removable flash (USB/SD): treat like SSDs — device sanitize or physical destruction; 4) Mobile devices: factory reset + verified overwrite where available, or secure erase tools from vendor, or physical destruction for devices that may hold residual data. Important technical notes: degaussers do not reliably sanitize SSDs; manufacturer secure-erase commands must be used according to device documentation; always verify the command succeeded and capture evidence (tool output, timestamps).
Practical workflow and small-business example
Example: a 15-person engineering subcontractor decommissions laptops. Workflow: (1) IT tags device and logs request in ticketing system, (2) verify whether device used to store FCI; if yes, escalate to sanitization, (3) if BitLocker/FileVault enabled, perform crypto-erase by deleting keys and recording "manage-bde -status" (Windows) or FileVault status (macOS) as evidence; for non-encrypted drives run certified secure-erase and capture the tool output and serial number, (4) if device cannot be sanitized due to failure, document chain-of-custody and send to an NAID-certified destruction vendor and retain certificate of destruction. Keep photos (with timestamps), vendor invoices, and ticket references for the assessor.
Evidence to prepare for an assessor
Compile a single evidence package that includes: the sanitization policy (with NIST SP 800-88 reference), asset inventory export, sample tickets showing completed sanitization (with serial numbers, operator, timestamp, and tool output), certificates of destruction from vendors, photos of destroyed media, and training attendance logs for staff who perform sanitization or chain-of-custody tasks. Also include vendor contracts for cloud/managed services stating how media is sanitized at provider deprovisioning and any attestations they provide.
Compliance tips and best practices: enforce full-disk encryption (BitLocker/FileVault) on all endpoints as a first-line control — crypto-erase plus key destruction often simplifies CUI sanitization; create role-based procedures so only authorized personnel perform sanitization; use automated scripts that log output to a central syslog for evidence; maintain a vendor list (e.g., NAID-certified) for physical destruction; and institute a "decomm-first" policy where IT must approve device disposal before any employee can remove or sell equipment.
Risks of non-implementation are concrete: accidental exposure of FCI can lead to contract noncompliance, loss of contract eligibility, corrective action or suspension, breach notification costs, regulatory fines, and reputational harm that can be catastrophic for small businesses. Technical risk includes data recovery from improperly sanitized SSDs or remnant data on printer hard drives and MFPs — these are common breach vectors post-disposal.
For assessors focus on repeatable, demonstrable processes: the assessor wants to see written procedures tied to actual artifacts. During pre-assessment, run a mock decommission on one device and collect every piece of evidence exactly as you would for production — that mock run is often the fastest way to find gaps in your workflow and correct them before the real assessment.
In summary, meet MP.L1-B.1.VII by documenting your sanitization policy (aligned to the Compliance Framework and NIST SP 800-88), maintaining an accurate media inventory, applying media-appropriate technical sanitization or destruction methods (with supporting tool outputs), retaining chain-of-custody and destruction records, and training staff — these practical steps give assessors clear, auditable evidence that your small business prevents unauthorized disclosure of FCI and meets FAR 52.204-21 / CMMC 2.0 Level 1 expectations.
