This post provides a practical, Compliance Framework–specific implementation plan to sanitize or destroy media that contains Federal Contract Information (FCI) in order to meet FAR 52.204-21 and CMMC 2.0 Level 1 control MP.L1-B.1.VII, with step-by-step actions, technical specifics, and small-business examples you can implement immediately.
Understanding the requirement and key objectives
FAR 52.204-21 requires contractors to safeguard Federal Contract Information, and CMMC 2.0 Level 1 MP.L1-B.1.VII specifically calls for sanitizing or destroying media containing FCI when it is no longer needed. The key objectives are: ensure FCI cannot be reconstructed or retrieved after disposal, maintain auditable evidence of sanitization/destruction, and apply consistent processes across device types (HDDs, SSDs, removable media, paper, multifunction devices, tapes, mobile devices).
Step 1 — Inventory and classification (first practical step)
Begin with a complete media inventory: list all devices and media types that have stored or could store FCI (laptops, desktops, external USB drives, SD cards, servers, SSDs, HDDs, backup tapes, optical discs, paper records, multifunction printers). For each item record: owner, device type/model, storage type (magnetic, NAND flash, optical), custody history, and whether the content is still needed for contract performance. This aligns with the Compliance Framework practice of managing assets before applying sanitization.
Step 2 — Choose approved sanitization/destruction methods
Map each media type to an accepted method per NIST SP 800-88 Rev. 1 guidance (Clear, Purge, Destroy). Practical mappings for small businesses include: magnetic HDDs — purge via degaussing (if available) or secure overwrite using verified tools (single-pass zeroes is typically acceptable for modern drives when combined with verification); SSDs and eMMC — vendor-supplied Secure Erase or NVMe Sanitize / Crypto Erase (do NOT rely on multi-pass overwrite tools like DBAN for SSDs); removable USB/SD — crypto-erase if encrypted, otherwise vendor secure erase or physical destruction; optical media — physical shredding or incineration; paper — cross-cut shredding (P-4 or better) or pulping; backup tapes — degauss and then shred; multifunction device internal drives — follow vendor procedures for disk removal and physical destruction or vendor-certified sanitization. Do not use “DoD 5220.22-M three-pass” as the sole justification — cite NIST 800-88 to align with modern guidance.
Step 3 — Implement technical controls and tools
For each sanitization method identify the tool/process and verification technique. Examples: for ATA drives, use hdparm --security-erase (Linux) or vendor tools; for NVMe drives use nvme format --sanitize followed by verify with nvme list and SMART attributes; for encrypted devices, implement whole-disk encryption (BitLocker, FileVault, LUKS) and document crypto-erase processes (remove keys and reset TPM); for commercial-grade verification use Blancco or other certified sanitization software and retain certificates. Maintain a standard operating procedure that prescribes commands, vendor references, and verification logs so a non-technical auditor can validate the action.
Step 4 — Chain-of-custody, documentation, and attestation
Create a Media Sanitization Log (spreadsheet or ticketing system) that records: item identifier, serial number, media type, sanitization method used, tool/firm performing the action (internal staff or vendor), date/time, and the name and signature (electronic OK) of the person performing and verifying the sanitization. For third-party destruction vendors, require a Certificate of Destruction (CoD) with vendor accreditation and retention of that certificate for contract recordkeeping. These records are critical evidence under FAR 52.204-21 and for CMMC assessments.
Small-business scenario: applying the plan in a 12-person subcontractor
Example: A 12-person engineering subcontractor holds FCI on 6 laptops, 2 file-server SSDs, 10 USB drives used for data transfer, and paper design documents. Implementation: (1) Inventory and tag each device. (2) Encrypt all endpoints with BitLocker and establish a key escrow policy so devices can be crypto-erased when retired. (3) For SSDs scheduled for replacement, perform vendor secure erase (NVMe sanitize) and verify with a forensic check (file system shows zeroed/blank). (4) For USB drives that held FCI and are obsolete, send to a certified destruction vendor and retain a Certificate of Destruction. (5) For paper drawings, use an on-site cross-cut shredder and document batch destruction in the Media Sanitization Log. This approach minimizes cost while meeting compliance objectives.
Compliance tips, best practices, and verification
Best practices include: enforce full-disk encryption proactively to enable fast crypto-erase; integrate sanitized/decommission workflows into HR/offboarding and asset disposal processes; restrict use of removable media with policy and technical controls; perform quarterly audits of the media inventory and random verification of sanitized items; maintain training and role-based responsibilities for sanitization tasks; and reference NIST SP 800-88 Rev. 1 in policies so assessors see alignment with accepted federal guidance. Avoid relying on consumer-grade “factory reset” without evidence of cryptographic erasure for encrypted devices.
Risks of not implementing sanitization/destruction
Failure to properly sanitize or destroy media containing FCI exposes the organization to data leakage and breach incidents, which can lead to lost contracts, suspension/debarment, financial penalties, remediation costs, and reputational damage. From a CMMC/FAR perspective, improper sanitization can cause failing a CMMC assessment or being found noncompliant during audits — jeopardizing current and future government contracting opportunities. Even a single lost USB drive with FCI can trigger a breach notification, contractual liability, and an investigation.
Summary: To comply with FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII, implement a clear Compliance Framework practice: inventory and classify media, map media to NIST 800-88–aligned sanitization methods (clear, purge, destroy), use appropriate technical tools (vendor secure erase, crypto-erase, verified commercial tools), document chain-of-custody and Certificates of Destruction, and perform periodic audits and training. These practical steps give small businesses a defensible, auditable process that reduces risk and supports contract compliance.
