Sanitizing storage media correctly is a simple but critical compliance activity for contractors subject to FAR 52.204-21 and CMMC 2.0 Level 1 (MP.L1-B.1.VII): it prevents residual data exposure, supports contract eligibility, and is verifiable when done using the right tools, methods and documentation.
Why sanitization matters under the Compliance Framework
FAR 52.204-21 requires contractors to safeguard covered contractor information systems and material handling, including proper disposition of storage media; CMMC 2.0 Level 1 Control MP.L1-B.1.VII explicitly covers media sanitization prior to disposal or reuse. For a small business this means having repeatable, documented procedures that produce verifiable evidence (logs, certificates) that drives containing sensitive or controlled unclassified information (CUI) cannot be recovered.
Practical implementation steps for Compliance Framework
At a minimum implement (1) an inventory and labeling process for media, (2) a risk-based decision tree for whether to sanitize or physically destroy, (3) method selection per media type (HDD vs SSD), (4) execution using approved tools and (5) verification and recordkeeping. Example: mark retired laptops in inventory, determine whether drives contain CUI, if yes choose an appropriate method (secure erase or destruction), execute the chosen method, capture command output or third-party certificate, and store those records with the procurement/asset disposal record for inspection.
Tools and techniques: magnetic HDDs (mechanical)
For spinning hard drives follow NIST SP 800-88 guidelines: a verified single-pass overwrite (zeros or pseudorandom) is typically sufficient when verified, but many organizations prefer physical destruction for high-risk data. Practical, low-cost methods include: using dd or shred in Linux (e.g., dd if=/dev/zero of=/dev/sdX bs=1M status=progress) followed by verification that the device reads back as zeroed; using vendor-certified utilities; or sending drives to a certified media destruction vendor and obtaining a Certificate of Destruction (CoD). Note: DBAN is obsolete for SSDs but still used by some for HDDs β prefer documented, auditable tools and keep command output logs.
Tools and techniques: SSDs and modern flash media
Do not rely on repeated overwrites for SSDs due to wear leveling and over-provisioning. Use drive-native secure erase mechanisms (ATA Secure Erase via hdparm for SATA: example sequence - set a temporary password then issue --security-erase), NVMe sanitize/format (nvme format /dev/nvme0n1 --ses=1 or nvme sanitize --sanitize 1), or vendor tools (Samsung Magician, Intel SSD Toolbox, Parted Magicβs secure-erase for SSDs). For self-encrypting drives (SEDs) cryptographic erase β zeroing or destroying the encryption key β is an accepted and efficient method: ensure full-disk encryption was enabled and log the key destruction event. If you cannot execute a reliable electronic sanitize, physically destroy SSDs (shredding/pulverizing) and retain destruction documentation.
Example small-business scenarios
Scenario 1: A 12-person defense subcontractor retiring 6 laptops with mixed HDD/SSD drives. Procedure: collect assets to a secure room; pull drive serial/model and tag each; for HDDs run a verified overwrite then sensor-verify; for SSDs run vendor secure-erase or NVMe sanitize; record stdout and hashes of first MB pre/post; if any SSD cannot be sanitized, send to an onsite destruction vendor and obtain CoD. Scenario 2: A web hosting small business rotating out 50 drives: enable bulk secure-erase via vendor management console for SEDs (crypto erase) and then sample 5% for forensic recovery attempt using an internal QA or third-party tool; log results and store CoD and sampling results in the asset retirement folder.
Verification, logging and policy controls
Create a media sanitization policy that includes: required methods by media type, minimum logging fields (asset tag, serial, model, date, operator, method, command output or CoD), chain-of-custody steps for transported media, and retention period for sanitization records (e.g., 3β7 years depending on contract). Practical verification steps: collect command output to a signed log file, capture screenshots for GUI tools, sample a subset of sanitized drives and attempt data recovery using forensic tools, and periodically use a third-party audit to validate procedures. These artifacts are what auditors and contracting officers expect to see under the Compliance Framework.
Risks of not implementing proper sanitization
Failure to sanitize correctly creates clear risks: data breaches with exposure of CUI (leading to contract termination, civil penalties, or reputational damage), failed CMMC assessments and ineligibility for future DoD work, and potential regulatory fines. Technically, improperly sanitized SSDs can retain recoverable fragments due to wear-leveling; unlogged or unverified sanitization invites audit failure even if no breach occurs. Treat sanitization as both an operational security control and an auditable compliance process.
In summary: adopt a documented, media-type-specific sanitization policy aligned to NIST SP 800-88 and FAR/CMMC requirements; use appropriate native erase commands for SSDs and verified overwrites or destruction for HDDs; log every operation and maintain chain-of-custody and verification evidence. For small businesses, combine affordable technical steps (hdparm, nvme-cli, vendor tools) with certified destruction vendors and a clear policy to meet MP.L1-B.1.VII and protect your contracts and customers.
