This post explains practical, technical methods small businesses can use to sanitize solid-state drives (SSDs) and mobile devices that store Federal Contract Information (FCI) in order to meet FAR 52.204-21 and CMMC 2.0 Level 1 control MP.L1-B.1.VII; it focuses on concrete steps, tools, validation, and documentation you can implement today under your Compliance Framework obligations.
Compliance context and risk
FAR 52.204-21 requires contractors to protect FCI, and CMMC 2.0 Level 1 explicitly expects media protection practices such as sanitization when removing media from service or before reuse. For the Compliance Framework, that means you must adopt documented, repeatable sanitization procedures, use accepted technical methods, and retain evidence of actions. The risk of not sanitizing properly is high: leftover data on SSDs or phones can lead to FCI exposure, breach reporting obligations, contract penalties, reputational loss, and removal from government programs.
Technical methods for SSD sanitization
SSDs require different handling than spinning disks because wear-leveling and over-provisioning make simple overwrites unreliable. The preferred technical methods are cryptographic erase (crypto-erase), vendor-provided secure erase utilities, and NVMe/ATA-sanctioned sanitize commands. For drives purchased without hardware encryption enabled, vendor secure-erase or physical destruction are acceptable. Document which method you used, the tool/version, the drive serial number/WWN, and output or logs proving completion.
ATA/SATA SSDs (Secure Erase)
For ATA/SATA SSDs, use the ATA Secure Erase command (commonly invoked with hdparm on Linux) or the manufacturer's secure-erase tool. Typical steps: 1) set a temporary security password, 2) invoke the secure-erase command, 3) confirm the drive reports “sanitized” or “security not enabled.” Example (test in a lab first and adapt to your environment): use hdparm --user-master u --security-set-pass PASS /dev/sdX then hdparm --security-erase PASS /dev/sdX. Always cross-check with vendor guidance because some SSDs implement secure-erase differently; if the drive supports hardware encryption and secure-erase simply deletes the encryption key, label this crypto-erase and retain logs showing key destruction.
NVMe SSDs (Sanitize / Crypto-Erase)
NVMe devices support the NVM Express sanitize operation, which has actions for block erase, overwrite, and crypto-erase. Use a current nvme-cli tool or vendor utility to run a sanitize operation, and prefer the crypto-erase option when supported because it deletes the media encryption keys quickly and reliably. Example workflow: ensure the drive is in an appropriate state, run the vendor or nvme-cli sanitize command selecting the crypto erase action, and capture the command output and device status registers. If the device is not responsive or sanitize is unsupported, treat the media as requiring physical destruction or vendor return.
Sanitizing mobile devices (smartphones, tablets) securely
Mobile devices combine storage, encryption, and account bindings. Start by ensuring device encryption is enabled while the device is in service (iOS enables hardware encryption by default; modern Android devices should use file-based or full-disk encryption). Use your MDM to perform a remote wipe for devices enrolled in management; verify the wipe by checking MDM logs and device status. For devices not managed by MDM, perform a factory reset only after removing account bindings (Apple ID, Google account) and disabling activation/FRP locks; otherwise the device may remain inaccessible or personal accounts may persist. If a device is damaged and cannot be wiped, document chain-of-custody and perform physical destruction (chip-level) following documented procedures.
Implementation steps for a small business under the Compliance Framework
1) Inventory all devices and SSDs containing FCI and record serial numbers, model, vendor, and whether encryption is enabled. 2) Categorize devices by sanitization method available (ATA Secure Erase, NVMe sanitize, crypto-erase, MDM wipe, factory reset, physical destruction). 3) Create step-by-step SOPs for each category including commands, expected output, and verification steps. 4) Test procedures on non-production hardware and retain screenshots/logs as templates. 5) Train staff and restrict sanitization commands to authorized personnel; maintain a sanitization log and attach artifacts (command output, MDM logs, photos of destroyed media). 6) If you choose vendor-managed destruction, obtain a Certificate of Destruction and verify the vendor's method is acceptable to your contracting officer.
Compliance tips, best practices, validation and common pitfalls
Best practices include: enabling encryption by default on laptops and phones so future sanitization can rely on crypto-erase; using MDM enrollment for lifecycle control; validating sanitize operations immediately with vendor tools or SMART/NVMe status queries; and keeping robust logs (time, operator, device ID, method, tool/version, output). Common pitfalls are relying on overwrites for SSDs, forgetting activation locks on mobile devices, and failing to capture evidence. For audit readiness, map each sanitized device to the related FAR/CMMC requirement in your Compliance Framework documentation and keep retention for the period required by contract or company policy.
In summary, meeting FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII for SSDs and mobile devices is practical for small businesses when you implement consistent policies: inventory devices, prefer crypto-erase or vendor-sanctioned sanitize commands for SSDs, use MDM and account-unlinking plus factory reset for mobile devices, validate each action with logs or certificates, and retain documentation as part of your Compliance Framework. Following these steps reduces the risk of FCI exposure and positions you to demonstrate compliance during audits or contract reviews.
