If your organization handles Covered Contractor Information (CCI) or Controlled Unclassified Information (CUI), FAR 52.204-21 and CMMC 2.0 Level 1 control MP.L1-B.1.VII require that IT media be sanitized or destroyed before reuse — this post gives a clear, practical, step-by-step approach for small businesses to implement an auditable, defensible sanitization program that meets the Compliance Framework practice requirements.
Quick step-by-step checklist
1) Inventory and classify media (policy & scope)
Start by listing all media types in scope: laptops, desktops, internal HDDs and SSDs, external USB drives, SD cards, optical media, MFP hard drives, backup tapes, and cloud/virtual disks. For each item record asset tag, owner, last user, data classification (CUI vs non-CUI), and storage/encryption status. For the Compliance Framework practice, create a written policy that defines which sanitization standard applies based on data classification (e.g., NIST SP 800-88 Rev.1 categories: Clear, Purge, Destroy). Small-business example: a 20-person subcontractor tags every laptop and flags drives that ever stored contract deliverables as CUI, so they never get reissued without purge or destruction.
2) Choose the correct sanitization method (Clear, Purge, Destroy)
Map classification to method: for non-sensitive data a "Clear" (single-pass overwrite or built-in erase) can suffice; for CUI, aim for "Purge" or "Destroy." Follow NIST SP 800-88 Rev.1 guidance: HDDs can typically be purged via repeated overwrites or ATA Secure Erase; SSDs require vendor-supported secure erase, NVMe sanitize, cryptographic erase, or physical destruction because overwriting is unreliable. Backups, tapes, and detachable media often require physical destruction (shredding, degaussing for magnetic tapes) or a vendor certificate of destruction. For cloud VMs, "cryptographic erase" by destroying KMS keys and deleting snapshots is the practical purge method — document the KMS key deletion event as evidence.
3) Execute sanitization with appropriate tools and documented procedures
Use validated tools and vendor utilities. Examples and cautions: for HDDs you can use shred (Linux) or dd to overwrite — e.g., shred -v -n 3 /dev/sdX or dd if=/dev/urandom of=/dev/sdX bs=1M status=progress conv=fdatasync — but always verify applicability before use. For SSDs, prefer vendor tools (Samsung Magician, Intel SSD Toolbox, Kingston utilities) or ATA Secure Erase via hdparm (set a security password then issue the --security-erase) and NVMe sanitize via nvme-cli; test on nonproduction units first and follow vendor docs closely. For Windows file-level wiping, use Sysinternals SDelete (e.g., sdelete -p 3 C:) to overwrite free space and files. For encrypted systems, cryptographic erase (expiring or destroying the encryption key) is an accepted purge method — for example, ensure BitLocker keys are destroyed and key escrow deleted via your key management system. Always capture the exact command, timestamps, operator, and device serial in your sanitization log.
4) Verify and retain proof (verification, audit trail)
Verification is mandatory for compliance: after sanitization, perform verification checks such as scanning a sample of sectors with hexdump or dd to confirm no readable residual data, or use a forensic tool to verify the device returns no recoverable files. For physical destruction performed by a vendor, obtain a Certificate of Destruction with serial numbers/asset tags and method used (shredded, degaussed, incinerated). Store all sanitization records, operator signoffs, and destruction certificates in your compliance repository so they can be produced during FAR or CMMC audits. Small-business practice: maintain a single CSV or simple GRC entry per asset that contains pre- and post-sanitization checksums or verification notes and attached vendor certificates.
5) Handling special cases: SSDs, laptops with encryption, and cloud media
SSDs: do not rely on multi-pass overwrites. Use vendor secure erase, NVMe sanitize, or crypto-erase. If the SSD was encrypted with a strong full-disk encryption (FDE) solution with centrally managed keys, cryptographic erasure (delete the key) is an acceptable purge — log the key destruction event. Mobile devices: deprovision accounts, factory-reset, and remove activation locks (e.g., Apple's Activation Lock) before reuse or follow a secure destruction route. Cloud/virtual disks: delete snapshots, zero-out virtual disks when supported, and irrevocably destroy associated KMS keys — take screenshots and KMS audit logs as verification. MFPs and printers: these often contain internal storage that caches prints; include them in inventory and follow manufacturer-recommended erase or physical removal/destruction processes.
6) Outsource safely when needed (vendor selection and contract language)
If using a third-party destruction partner, choose vendors with ISO 9001/14001 and R2 or NAID AAA certifications where appropriate and require a Certificate of Destruction and chain-of-custody documentation. Include contract clauses requiring the vendor to maintain asset serials and provide signed proof that the device was destroyed to the agreed standard. For small shops, a scheduled monthly pickup of retired media with documented returns and destruction photos can be a practical approach that balances cost and evidentiary needs.
Risk of non-compliance and practical mitigation
Failing to sanitize or destroy media properly risks CUI exposure, contract violations, and audit failures under FAR 52.204-21 and CMMC MP.L1-B.1.VII. Real consequences include loss of government contracts, mandatory remediation, fines, and reputational damage. Practically, immediate mitigations include: stop reuse of any media with unknown sanitization status, quarantine suspect media, and perform a rapid inventory and sanitization sweep. Build sanitization into the asset retirement workflow so reuse never happens until verification is complete.
Summary: Implementing a defensible sanitization program requires an inventory and classification policy, mapping classification to Clear/Purge/Destroy, using vendor-approved or NIST-aligned tools and methods (special handling for SSDs/virtual disks), performing verification, keeping auditable records, and contracting properly with destruction vendors. For small businesses, standardize procedures, keep simple but complete logs, and use encryption + key destruction as a practical purge method when supported — these steps will help you meet the Compliance Framework requirements of FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII while reducing legal and operational risk.
