This post explains how to meet FAR 52.204-21 and CMMC 2.0 Level 1 control MP.L1-B.1.VII by properly sanitizing and destroying electronic media β with clear, actionable steps for small businesses on when to overwrite, when to degauss, and when to physically destroy devices, plus real-world examples and verification best practices.
Understanding the requirement and key objectives
At a practical level FAR 52.204-21 and the CMMC 2.0 Level 1 control MP.L1-B.1.VII require contractors to prevent unauthorized disclosure of covered information by ensuring media is sanitized or destroyed before reuse, transfer, or disposal. The key objectives are: identify media containing covered data, select a sanitization method commensurate with the media type and sensitivity, perform and verify sanitization, and maintain records that demonstrate compliance. For small businesses this means having simple, repeatable procedures that produce auditable evidence.
Sanitization methods: overwrite, degauss, and physical destruction
Overwrite (Clear) β when and how to use it
Overwriting replaces stored data with patterns (zeros, ones, pseudorandom) and is appropriate for many magnetic hard disk drives (HDDs) and some types of non-critical flash if vendor guidance supports it. Practical commands and tools: Linux shred or dd (e.g., shred -vfz -n 3 /dev/sdX or dd if=/dev/zero of=/dev/sdX bs=4M status=progress), Microsoft SDelete (sdelete -z) for Windows, and certified commercial tools such as Blancco or WhiteCanyon for enterprise proof. Note: modern SSDs use wear leveling and internal mapping which can make single-pass overwrites ineffective; consult vendor guidance or prefer crypto-erase/secure-erase for SSDs.
Degauss (Purge for magnetic media) β strengths and limits
Degaussing applies a strong magnetic field to destroy magnetic patterns on media and is an effective purge method for traditional HDDs, magnetic tapes, and some removable media. It is fast and irreversible for magnetic media; however, degaussers do not work on SSDs, NAND flash, or optical media. If you use degaussing, document the degasser model, field strength, operator, serial numbers of affected media, and note that degaussed drives are usually unusable afterwards.
Physical destruction β when it's the right choice
Physical destruction is the most reliable method when media contains highly sensitive information or when sanitization tools are unavailable or impractical. Methods include shredding (industrial cross-cut for platters and circuit boards), crushing (drive crushers that bend platters or break chips), disintegration, and incineration. For SSDs and USB flash drives, physical disintegration or shredding is usually required because logical sanitization is unreliable. Use an NAID-certified vendor for offsite destruction when you lack onsite equipment; keep certificates of destruction and photos when possible.
Implementation steps for a small business (practical checklist)
1) Inventory and classify: maintain an asset register listing device type, serial number, owner, and whether it ever contained covered or controlled information. 2) Policy and SOP: publish a short SOP mapping media types to required methods (e.g., HDD with CCI β overwrite (3-pass) or degauss, SSD with CCI β crypto-erase + verify or physical destruction). 3) Tools and training: select tools your team can use and validate them (e.g., test dd / shred on spare drives, or contract a certified vendor). 4) Execution: tag media, record operator, datetime, method, tool/version, and result. 5) Verification: retain logs and destruction certificates for your contract retention period. Example scenario: a 12-employee small IT consulting firm retiring 10 laptops would pull the asset register, back up and wipe each drive (BitLocker + crypto-erase or secure-erase via hdparm/nvme-cli), and log serial numbers plus screenshots of tool output; for any SSDs they would opt for physical destruction if crypto-erase is unsupported.
Verification, logging, and evidence to prove compliance
Auditors will look for proof that you followed your procedures. Records should include: asset ID and serial number, date/time, operator name, sanitization method and tool (with version), output/log files (or photos for physical destruction), and certificate of destruction if using a third-party vendor (preferably NAID-certified). For overwrites, capture tool output showing completion (e.g., dd status or shred exit code). For secure-erase, capture hdparm --security-erase results or vendor utility logs. Retain logs per contract requirements and include the sanitization process in your SSP and employee training materials.
Common pitfalls, risks, and why you must act
Failure to properly sanitize or destroy media risks exposure of covered information, contract noncompliance, reputational damage, and potential contract termination or penalties. Practical pitfalls include using overwrite tools on SSDs (ineffective due to wear leveling), relying solely on deleting files or formatting, not maintaining serial-numbered evidence, and using third-party vendors without verifying certifications. A single lost or resold device with residual data can trigger breach notifications and investigations; small businesses can be targeted because they often have less mature controls.
Best practices and compliance tips
Keep your SOP lean and prescriptive: map media types to specific approved methods, list approved tools, and define retention periods for logs. Prefer βpurge or destroyβ for CUI-level data if you lack proven sanitization capability. Use whole-disk encryption (BitLocker, FileVault) from day one β if keys are properly destroyed, crypto-erase can speed sanitization. For third-party destruction, use NAID-certified providers and request certificates of destruction and a chain-of-custody manifest. Periodically test your processes (e.g., attempt file recovery from sanitized test drives) and include sanitization tasks in offboarding and disposal checklists.
In summary, meeting FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII is straightforward for small businesses when you adopt a documented, repeatable process: inventory media, choose the correct sanitization method (overwrite, degauss, or physical destruction) based on media type, use validated tools or certified vendors, maintain auditable logs and certificates, and train staff. Implement these steps pragmatically and you will reduce risk, simplify audits, and keep covered information secure during device reuse, transfer, or disposal.
