This post explains how a small business can implement practical, auditable procedures to sanitize and safely reuse IT media in order to meet FAR 52.204-21 requirements and the CMMC 2.0 Level 1 Control MP.L1-B.1.VII within the Compliance Framework — focusing on hands-on actions, verifiable tools, and real-world examples that reduce risk when disposing, repurposing, or returning media from government contracts.
What this control requires (practical interpretation)
At its core MP.L1-B.1.VII / FAR 52.204-21 require that covered contractor information and any media that has stored that information be protected from unauthorized disclosure when media are reused, transferred, or disposed. For implementers in the Compliance Framework practice, this translates to: identify and inventory media, classify whether it has contained Federal Contract Information (FCI) or CUI, apply an approved sanitization method (clear, purge, destroy) appropriate to the media type and data classification, and retain evidence of the action for audit. NIST SP 800-88 Rev. 1 is the accepted technical guidance for selecting methods and establishing verification steps.
Step-by-step implementation for a small business
Start with a simple procedure: 1) Inventory all media types (laptops, SSD/HDD, USB sticks, backup tapes, copier hard drives, mobile devices, cloud volumes). 2) Tag media that have handled FCI/CUI and move them to a quarantine area before sanitization. 3) Determine the sanitization category (Clear, Purge, Destroy) using NIST 800-88 guidelines and your risk tolerance. 4) Execute the chosen sanitization method using approved tools or vendor utilities. 5) Record the action (who, when, method, device serial, evidence) and retain that record for audits. For a small business this can be a single spreadsheet + PDF certificates of destruction or a simple ticket in your IT asset system if you lack an enterprise CMDB.
Sanitization methods and technical commands
Use the right method for the media: magnetic HDDs can often be rendered unreadable with multiple overwrites or an ATA Secure Erase. Example ATA flow: set a temporary password then run hdparm --user-master u --security-set-pass MyPass /dev/sdX and then hdparm --security-erase MyPass /dev/sdX (use with caution and validate vendor docs). NVMe disks support sanitization via nvme-cli: nvme format /dev/nvme0 --ses=1 (or --ses=2 for crypto-sanitize) — check vendor capability first. SSDs need care because wear-leveling can prevent overwrite efficacy; prefer vendor sanitize utilities or cryptographic erase. Cryptographic erase (recommended where full-disk encryption is in use) means securely destroying the encryption key in the KMS/TPM—rendering ciphertext irrecoverable. For cloud volumes, use the cloud provider’s documented volume and snapshot deletion plus key lifecycle management (delete snapshots, revoke/destroy the associated encryption key). For removable media (USB, SD), if reuse is required use a verified purge; for disposal consider physical destruction or shredding. For tapes and magnetic media, degaussing + shredding or certified destruction is common. Always validate with a forensic read test where feasible and keep a hash or log entry showing zero recoverable files.
Real-world small-business scenarios: 1) Laptop reuse: before redeploying a laptop that ran contract work, back up user data, enable a full-disk sanitize via vendor tools (or crypto-erase by deleting the disk key from your MDM/KMS), then reinstall OS from your golden image and register the serial to the new user. 2) USB drives returned by contractors: quarantine, attempt a purge with multiple-pass overwrite if magnetic, otherwise physically destroy and issue a replacement. 3) Office multifunction copier: when servicing or replacing, get the vendor to provide a certified drive wipe or a certificate of physical destruction for the internal HDD. 4) Cloud dev/test volumes: when tearing down environments that contained FCI, delete snapshots, ensure volumes are detached and deleted, and rotate/delete KMS keys to crypto-erase any residual encrypted data.
Verification, documentation and audit readiness
Compliance is not just performing the wipe — you must prove it. Maintain an asset tracking log with: asset ID/serial, data classification (FCI/CUI or not), sanitization method used, command or tool name and version, operator name, timestamp, and outcome (pass/fail). For destroyed media keep certificates of destruction from shredders or vendor receipts. Where feasible perform a forensic verification step (an inexpensive forensic tool or a hex reader to confirm sectors are zeroed/encrypted). Retain records for a policy-driven retention period (3+ years is common for federal-contract evidence). For FAR/CMMC readiness, be able to present the chain-of-custody plus the sanitization record tied to the asset identifier for auditors.
Compliance tips and best practices
Make full-disk encryption your default on all endpoints — it dramatically reduces remnant data risk and enables quick crypto-erase. Use MDM + disk encryption so you can revoke keys centrally. Maintain a simple policy that specifies media types, acceptable sanitization levels, and who is authorized to sanitize or request destruction. Train staff on quarantining and never returning contract media to general inventory without completing the sanitization workflow. When buying hardware, prefer vendors with documented sanitize utilities and ask to include wipe/destroy clauses in procurement or service contracts. Finally, automate what you can: scripts for verification logs, a templated sanitization certificate, and ticket workflows reduce human error and improve auditability.
Risk of not implementing these controls includes accidental disclosure of FCI/CUI, loss of contracts, monetary penalties, negative audit findings, and reputational damage. For small businesses the most likely failure modes are lax inventory, reuse of unverified media, and lack of records. These are avoidable with a modest upfront investment in procedures, encryption, and an evidence retention process.
In summary, meeting FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII in the Compliance Framework practice is achievable for small businesses: inventory assets, classify data, choose NIST-backed sanitization methods appropriate to media, document every action, and use encryption + centralized key management to simplify sanitization. Implement these steps, run a table-top exercise to validate the workflow, and retain sanitization evidence so you can demonstrate compliance during audits.
