This post explains exactly how a small business can sanitize and destroy media containing Federal Contract Information (FCI) to comply with FAR 52.204-21 and CMMC 2.0 Level 1 control MP.L1-B.1.VII — with step-by-step procedures, recommended tools, verification and documentation practices, and real-world examples you can implement today.
Why proper sanitization and destruction matters
FAR 52.204-21 requires contractors to protect Federal Contract Information and to ensure FCI is not exposed when media are retired, transferred, or disposed. Failure to sanitize or destroy media properly can lead to data breaches, loss of contracts, damages to reputation, and potential civil or contractual penalties; even a single un-sanitized laptop or USB stick can leak sensitive contract details. From a Compliance Framework perspective, this control reduces the risk of unauthorized disclosure by ensuring no residual data remains on media at end-of-life.
Step-by-step implementation (Compliance Framework practical steps)
Step 1 — Inventory, classify, and chain-of-custody
Start by compiling an inventory of all media types that might contain FCI: desktops, laptops, servers, removable drives (USB, SD), optical media, mobile devices, external HDDs/SSDs, backup tapes, and printed paper. Tag items with unique IDs and record owner, location, last use, and FCI risk level. For small businesses, a simple spreadsheet or CMDB is acceptable if it captures the required fields. Create a chain-of-custody form to accompany media from decommission to destruction, noting dates, personnel, and actions taken.
Step 2 — Choose the right sanitization method for each media type
Select methods aligned to NIST SP 800-88 Rev. 1 guidance and your Compliance Framework practice: "Clear" (logical overwrite or crypto-erase) for media that will remain in the organization, "Purge" (cryptographic erasure, block erase, or degauss) for media leaving the environment, and "Destroy" (physical destruction) for high-risk or non-reusable media. Match method to media type: HDDs typically support overwriting or degaussing; SSDs require ATA/NVMe secure-erase or cryptographic erase (do not rely on single pass zeroing); tapes often use degaussing or shredding; paper requires cross-cut shredding or pulping.
Step 3 — Execute sanitization using proven tools and vendor services
For internal execution, use vendor or OS-provided secure-erase tools and follow manufacturer guidance. Examples: use BitLocker (Windows) or FileVault (macOS) for full-disk encryption in live use and then perform a crypto-erase by deleting the keys (manage-bde -protectors -delete on Windows) before disposal; for Linux, use cryptsetup to destroy LUKS keyslots (cryptsetup luksKillSlot) then overwrite headers. For HDDs use hdparm ATA secure-erase (hdparm --user-master u --security-erase NULL /dev/sdX) or vendor utility; for NVMe and modern SSDs prefer nvme-cli secure erase (nvme format/secure-erase) or manufacturer secure-erase utilities — trimming or simple zeroing is insufficient for most SSDs. For high volumes or when you need third-party assurances, use NAID/R2-certified destruction vendors who provide destruction certificates and audit trails. For paper, use cross-cut shredders rated to P-4/P-5 or higher, or contract shredding and obtain certificates of destruction.
Step 4 — Verify sanitization and maintain documentation
Verification is essential for Compliance Framework audits: record the method used, technician name, device serial number, date/time, and the verification result. For overwrites and secure-erase operations, run sampling checks by attempting to mount the media and by using file-recovery tools on sample devices. For cryptographic erase, verify that keys are irretrievable and that the drive no longer contains a valid header. Preserve certificates of destruction from vendors and store all records centrally for the contract retention period. Use photographic evidence and signed chain-of-custody logs for high-risk disposals.
Small-business real-world scenarios
Scenario A — Replacing five laptops: A small subcontractor rotates five laptops out of service. Implementation: confirm each device stores FCI, enable BitLocker before initial use; at decommission, perform BitLocker key revocation (crypto-erase), run vendor secure-erase if hardware supports it, log device serials and actions, and either redeploy internally (after verification) or send to an R2/NAID vendor for physical shredding if resale risk exists. Scenario B — Removing backup tapes: For a handful of backup cartridges, record tape IDs, degauss using an industrial degausser rated for the tape format, then shred or incinerate; collect vendor certificates. These small steps require little overhead but meet the intent of FAR and CMMC rules.
Compliance tips and best practices
Best practices: (1) Use full-disk encryption from day one to make crypto-erase the default fast option at retirement; (2) document a media sanitization policy with roles and approved methods mapped to media types; (3) maintain a list of approved destruction vendors and verify their certifications (NAID/R2); (4) treat consumer-grade "factory reset" as insufficient for FCI; (5) sample-test every batch of sanitized media regularly and keep results; and (6) train staff on chain-of-custody and signs of tampering. Keep retention schedules that tie back to contract requirements and maintain evidence to show auditors you met MP.L1-B.1.VII.
In summary, meeting FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII for media sanitization is a practical, repeatable process: inventory and classify media, select the appropriate sanitize/destroy method, execute with verified technical controls (and/or certified vendors), and document everything. For small businesses, leveraging full-disk encryption, vendor secure-erase tools, and certified destruction providers delivers a low-cost, high-assurance path to compliance while minimizing residual risk of FCI exposure.
