This post gives a practical, step-by-step approach for small businesses to sanitize or destroy information system media to meet the requirements of FAR 52.204-21 and CMMC 2.0 Level 1 control MP.L1-B.1.VII, including concrete tools, commands, vendor controls, and documentation you can implement right away.
Overview: what the requirement means and key objectives
Under FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) and CMMC 2.0 Level 1 (MP.L1-B.1.V.II mapping to media protection), organizations must ensure that media containing Federal Contract Information (FCI) or controlled technical information is properly sanitized or destroyed before disposal, release, or reuse. The key objectives are (1) prevent data recovery, (2) maintain a chain of custody for disposed media, and (3) document the action for audit and contractual evidence. For the Compliance Framework practice, this means defining policies, inventorying media, selecting approved sanitization or destruction methods, executing those methods, and retaining proof (logs, certificates, photos) aligned to MP.L1-B.1.VII expectations.
Step-by-step implementation
1) Assess and inventory media
Start by compiling a media inventory tied to your Configuration Management or Asset Management system: laptops, desktops, removable drives (USB), HDD/SSD from servers or NAS, mobile devices, optical media, backup tapes, and paper. Tag each item with owner, data classification (FCI / non-FCI), location, and end-of-life (EOL) action. For small businesses, a simple spreadsheet or a ticketing system field set (asset tag, serial, media type, disposition reason) is adequate to meet the Compliance Framework practice if maintained consistently.
2) Choose the right method by media type
Follow NIST SP 800-88 Rev. 1 principles: Clear (logical data removal), Purge (makes recovery infeasible using state‑of‑the‑art lab techniques), or Destroy (physical destruction). Examples by media type: HDDs — Purge via ATA Secure Erase or multiple overwrites (shred/dd) or Destroy via shredding; SSDs — prefer vendor Secure Erase, NVMe format with secure erase, or cryptographic erasure; Self‑Encrypting Drives (SEDs) — crypto‑erase by deleting keys; mobile devices — factory reset combined with device encryption and MDM remote-wipe; paper — crosscut shredding (6mm/2x12mm recommended) or incineration. Cloud volumes — use provider’s secure-delete APIs and destroy associated snapshots; if you use customer-managed keys, delete the encryption keys to crypto-erase volumes.
3) Execution examples and technical commands (practical)
Small-business examples you can run today (exercise care — these commands are destructive): For spinning drives on Linux: check device /dev/sdX, then shred -n 3 -v /dev/sdX or dd if=/dev/urandom of=/dev/sdX bs=1M status=progress; for ATA Secure Erase: use hdparm to set a temporary password and run --security-erase (e.g., hdparm --user-master u --security-set-pass p /dev/sdX && hdparm --user-master u --security-erase p /dev/sdX). For NVMe/modern SSDs: use nvme-cli's format with secure erase (nvme format --ses=1 /dev/nvme0n1) or use the vendor tool (Samsung Magician, Intel SST). For SEDs and BitLocker/LUKS-protected drives: perform a crypto-erase by securely deleting the key material from the key management system or the device (e.g., LUKS: remove all keyslots or destroy the LUKS header; for BitLocker, securely delete the key from your key escrow). For mobile devices, ensure full-disk encryption is enabled before teardown; then issue remote wipe from your MDM and perform a factory reset; if a physical repair is needed, sanitize the device first or use a loaner. For cloud blocks, follow provider guidance (AWS: use EBS delete snapshots + delete CMK; Azure: "Delete" and purge keys in Key Vault; GCP: destroy CMEK keys). Always verify success — try mounting the device or running a forensic tool (or obtain a third-party attestation) to confirm no readable data remains.
4) Documentation, chain of custody, and third-party disposal
Record every sanitization or destruction event: asset tag, serial, method used (e.g., ATA Secure Erase, nvme format, shredder model), operator name, date/time, verification steps, and supporting evidence (screenshots of commands, shredder invoices, Certificate of Destruction). When using third-party recyclers or shredders, require NAID, R2 or e-Stewards certification and a Certificate of Destruction (CoD) that includes media identifiers and process applied. Maintain these records for the period required by contract or policy; for FAR compliance, keep them in your contract compliance repository and link to the asset record. For leased equipment, ensure return processes (sanitized before return) are embedded in asset-offboarding checklists so you don't return FCI to lessors unintentionally.
Compliance tips, best practices, and risks of non-compliance
Best practices: implement full-disk encryption by default (BitLocker, LUKS, FileVault) so retirement becomes “crypto-erase” by destroying keys; standardize on vendor tools for SSDs and SEDs to avoid ineffective overwrites; train staff on sanitization steps and include sanitization in employee offboarding and RFP/contract clauses for suppliers. Create a simple Media Sanitization Policy (part of your Compliance Framework practice) that maps media types to approved methods and required evidence. Risks of not implementing the requirement include accidental disclosure of FCI leading to contract penalties, loss of future government contracts, reputational damage, and potential forensic exposure in breach investigations. Even small businesses can trigger expensive incident response and contract termination if media containing FCI is recovered from disposed assets.
In summary, meeting FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII is achievable for small businesses by inventorying media, selecting NIST‑aligned sanitization methods by media type, applying technical tools (secure-erase, vendor utilities, shredding), maintaining documented verification and chain-of-custody records, and using certified disposal vendors when necessary; combined with default disk encryption and clear policies, these steps provide a practical path to compliance and reduce the risk of data exposure.
