Disposing of media that contains Federal Contract Information (FCI) triggers clear compliance obligations under FAR 52.204-21 and CMMC 2.0 Level 1 (control MP.L1-B.1.VII): before disposal or re-use, media must be sanitized or destroyed so that FCI cannot be reconstructed. This post provides a practical checklist and implementation guidance for small businesses to meet those obligations reliably and cost-effectively, with technical details and real-world examples you can apply today.
What the requirement means in practice
FAR 52.204-21 requires contractors to provide “adequate security” and CMMC 2.0 Level 1 explicitly includes controls for protecting FCI. MP.L1-B.1.VII focuses on ensuring that all information system media that ever contained FCI is rendered unreadable prior to disposal or reuse. Practically, this means: identify media, choose an appropriate sanitization method (clear, purge, or destroy), verify the result, and document the action. The Compliance Framework context emphasizes repeatable processes, evidence collection, and auditable records.
Sanitization methods and technical guidance
Follow NIST SP 800-88 Rev. 1 guidance: use “Clear” (logical overwrite), “Purge” (more robust — degauss, crypto-erase, or vendor secure erase), or “Destroy” (physical destruction) depending on media type, sensitivity, and reuse plans. For magnetic HDDs, a one-pass overwrite of random data is generally acceptable for clearing in many environments; ATA Secure Erase (hdparm --security-erase) and drive vendor tools are also effective. For SSDs, wear-leveling makes overwrite unreliable — prefer cryptographic erase (if disk was full-disk encrypted) or the drive’s secure-erase/crypto-sanitize feature (vendor utilities or nvme-cli for NVMe drives). For mobile devices and removable SD cards, remove the card, perform a cryptographic or factory erase and then physically destroy if reuse is not intended. For printers/MFDs and backups/tapes, follow vendor sanitization guidance or engage certified destruction services for degaussing or shredding magnetic tape.
Small-business example: EOL laptop
Scenario: a small contractor is retiring a laptop that handled FCI. Steps: 1) verify device inventory tag and that it contained FCI; 2) confirm whether full-disk encryption (FDE) was enabled — if yes, perform a crypto-erase by deleting encryption keys (this is often the fastest and sufficient method if you can prove the keys are unrecoverable); 3) if not encrypted, boot a trusted utility and perform a secure-erase (use vendor secure-erase or ATA Secure Erase rather than simple file deletion); 4) if SSD and vendor secure erase is unavailable, physically destroy the drive (shredding or crushing) and obtain a Certificate of Destruction (CoD). Record serial numbers, method used, operator, date, and CoD reference before disposal.
Step-by-step checklist you can implement
1) Inventory & classify: maintain a media register with unique IDs, owner, media type, and whether it ever contained FCI. 2) Segregate: isolate media pending sanitization (lockable containers). 3) Select method: use a media-type matrix (HDD -> secure erase/overwrite; SSD -> crypto-erase or physical destroy; tape -> degauss/shred; paper -> cross-cut shred). 4) Execute: perform sanitization using vetted tools or certified vendors. 5) Verify: run verification checks (hash sampling, read-back, or visual inspection for physical destruction). 6) Document & retain evidence: media ID, serials, method, operator, date/time, verification result, and CoD if outsourced. 7) Dispose: recycle or destroy per organizational and environmental policies once sanitized and documented.
Verification, chain of custody, and documentation
Verification is essential for compliance evidence. For logical sanitization, log the tool used, version, command/parameters, and output (save to a secure log server). For physical destruction, obtain a Certificate of Destruction from the vendor that lists media identifiers and method (shredded to less than X mm). Maintain chain-of-custody forms when media is transferred to a third party: who collected it, transport dates, storage locations, and handoff signatures. Retain documentation for the contractually required retention period and subject it to periodic internal audit.
Risks of non-implementation and enforcement impact
Failure to sanitize or destroy media containing FCI exposes your organization to data breach risk (reconstruction of FCI), contract noncompliance, monetary penalties, loss of government contracts, and reputational damage. A single improperly disposed laptop or tape can lead to a reportable incident, mandatory notification, and costly remediation. For small businesses, the loss of a single contract for non-compliance can be existential — treating sanitization as a core control mitigates that risk.
Compliance tips and best practices
Make sanitization a standard part of your asset lifecycle: enforce FDE at provisioning (makes disposal simpler via crypto-erase), tag assets with media IDs, include sanitization steps in exit checklists, train staff on approved tools (e.g., vendor secure-erase utilities, certified destruction vendors), and build a vendor list with COI/insurance checks. Use a simple disposition log template (media ID, serial, custodian, sanitize method+tool, verification result, operator, date, CoD reference). Periodically test your process with tabletop exercises (e.g., randomly verify five sanitized devices per quarter). Finally, if outsourcing, require SOC2-like attestations where applicable and keep the CoD and chain-of-custody records in your compliance binder.
Summary: To meet FAR 52.204-21 and CMMC 2.0 MP.L1-B.1.VII for media that contained FCI, implement a repeatable media lifecycle: inventory and classify media, choose appropriate clear/purge/destroy methods (reference NIST SP 800-88), verify sanitization, document everything, and use certified destruction services when physically destroying media; these steps reduce breach risk, preserve contracts, and create auditable evidence of compliance for small businesses.
