This post explains how small businesses can practically and defensibly sanitize hard drives (HDDs), solid-state drives (SSDs), and USB flash drives containing Federal Contract Information (FCI) in order to comply with FAR 52.204-21 and CMMC 2.0 Level 1 Control MP.L1-B.1.VII; it maps real-world steps to the NIST SP 800-88 Rev. 1 media sanitization model (Clear, Purge, Destroy) and gives concrete commands, vendor options, and evidence practices you can use today.
Why sanitization matters and the compliance risk
FAR 52.204-21 requires contractors to safeguard FCI, and CMMC Level 1 expects basic media protection controls to prevent unauthorized access to that information; improperly sanitized media is one of the most common causes of accidental disclosure. The risk of not sanitizing includes losing contracts, regulatory penalties, reputational damage, and direct data breaches that can expose sensitive contract data. From an auditor’s perspective you will need documented procedures, evidence of method selection, and records (e.g., certificate of destruction or verification logs) to demonstrate compliance during a review or assessment.
Sanitization methods and technical details
Hard disk drives (HDDs)
For traditional magnetic HDDs, NIST SP 800-88 allows "Clear" or "Purge" depending on sensitivity and media state. Practical options: a single full-disk overwrite with a pseudorandom pattern is generally effective (many organizations use a 1-pass overwrite), or use ATA Secure Erase via hdparm on Linux for ATA drives. Example commands (use with caution and after backups): hdparm --user-master u --security-set-pass p /dev/sdX && hdparm --security-erase p /dev/sdX. After sanitization, capture the drive serial, model, method, date, and operator in your log. If the drive is physically damaged or inaccessible, move to physical destruction.
Solid-state drives (SSDs)
SSDs have wear-leveling and overprovisioned areas that make traditional overwrites unreliable. Prefer the drive vendor’s firmware-based secure erase or the NVMe/ATA secure erase command; for NVMe drives use vendor tools or nvme-cli to perform a secure format that purges namespaces. Where available, use cryptographic erase: deploy full-disk encryption (FDE) or self-encrypting drives (SEDs) proactively and then zeroize the encryption key (crypto-erase) at retirement—this is fast and reliable because it removes the key protecting the entire media. If neither secure erase nor crypto-erase is possible, use physical destruction (shredding or disintegration rated for SSDs) because degaussing is ineffective on flash.
USB flash drives and other removable flash
USB flash devices are inexpensive and often lack robust sanitize commands; wear-leveling and controller behavior can prevent complete overwrites. Practical approaches: if the device is hardware-encrypted, perform a crypto-erase; otherwise, plan for physical destruction (puncture, cut, or commercial media shredding). For small quantities, use an industrial cross-cut shredder or a hammer-and-cut method followed by electronic recycling with a vendor that provides a certificate of destruction. Always log serial numbers or any unique identifiers when available, and never return untested consumer USBs into circulation if they stored FCI.
Implementation steps for a small-business compliance workflow
Turn the sanitization process into a short SOP: 1) Inventory & classify media (identify FCI on drives); 2) Check protection status (is the drive encrypted? SED?); 3) Select method using a decision matrix (If FDE/SED -> crypto-erase; else if supported -> firmware/secure erase; else -> physical destruction); 4) Execute sanitization (use vendor tools or documented overwrites); 5) Verify & record (capture hashes where possible, serials, tool output, operator, witness); 6) Obtain certificate of destruction for vendor-handled disposals; 7) Retain records for the contract retention period and audit. Tie these steps into onboarding/offboarding checklists and purchasing policies so media is protected by default.
Real-world small-business examples
Example A — IT services firm replacing 12 laptops: They require full-disk encryption company-wide, so retirement becomes crypto-erase: remove device from MDM, invoke the disk encryption key change/erase via the vendor console (e.g., BitLocker "manage-bde -protectors -disable" then "manage-bde -forcerecovery"), log the operation, and then send devices to recycler with certificates. Example B — Defense subcontractor that receives USB flash drives from a prime: maintain a locked, logged media inventory; any USB that held FCI is either returned to the prime per contract or destroyed onsite with a cross-cut shredder; destruction is witnessed and logged with serials and certificates.
Compliance tips and best practices
Adopt NIST SP 800-88 Rev. 1 as your technical baseline and document deviations with rationale. Enforce full-disk encryption on all endpoints to make sanitization easier (crypto-erase is fast and defensible). Use an MDM/asset-management system to track media, serial numbers, and sanitization status. When outsourcing, choose NAID/ADAA-certified destruction vendors and require signed Certificates of Destruction plus chain-of-custody records. Periodically sample sanitized media for verification by a qualified third party and train staff on the SOPs. Keep sanitization logs and vendor certificates for the duration of the contract plus a buffer period required by your legal counsel or contracting officer.
In summary, meeting FAR 52.204-21 and CMMC 2.0 Level 1 media protection for disposal is achievable for small businesses by combining proactive measures (default encryption, asset tracking), methodical decision-making (follow the Clear/Purge/Destroy model), and documented evidence (logs, certificates, witness statements). Choose the most reliable sanitization technique for each media type—firmware secure erase or crypto-erase for SSDs, ATA secure erase or overwrites for HDDs, and physical destruction for consumer USBs—retain the records, and your organization will be prepared for audits and, more importantly, will reduce the real risk of FCI exposure.
