FAR 52.204-21 and CMMC 2.0 Level 1 require that Federal Contract Information (FCI) be protected when it is no longer needed — that means sanitizing or destroying storage media and devices before reuse or disposal to prevent unauthorized disclosure. This post provides a practical, technical checklist and real-world steps you can use to implement MP.L1-B.1.VII in a small-business environment so you can both meet compliance obligations and reduce operational risk.
Implementation approach — policy, inventory, and roles
Start by codifying a media sanitization policy that maps to the Compliance Framework's controls: define what constitutes FCI, list media types (HDD, SSD, SED, USB, mobile phones, MFDs, cloud storage), assign sanitization methods (Clear / Purge / Destroy per NIST SP 800-88 Rev.1), and assign responsibilities. Maintain an up-to-date asset inventory and label media with classification and retention requirements. Ensure roles are clear (owner, sanitization operator, witness/auditor) and that procedures require evidence — wipe logs, tool output, certificates of destruction — to be stored with asset disposition records.
Technical methods — choose Clear, Purge, or Destroy correctly
Use the NIST SP 800-88 categories as your decision matrix: Clear (logical sanitization) for reassigning media within trusted environment; Purge (cryptographic erasure or secure erase commands) when returning devices or decommissioning; Destroy (physical destruction or shredding) when media cannot be reliably sanitized. For magnetic HDDs, an overwrite pass (single-pass zeros) is generally acceptable for Clear; for Purge consider a secure-erase (ATA Secure Erase via hdparm) or degaussing. For SSDs, avoid relying on multiple overwrites — instead use ATA Secure Erase, NVMe Format, vendor secure-erase utilities, or crypto-erase (destroy encryption keys) and, when in doubt, physically destroy (shredding or in-house crushing). Crucially, degaussing does not reliably sanitize SSDs.
Practical commands and vendor approaches
Some concrete technical actions small IT teams can use: for HDDs on Linux use dd if=/dev/zero of=/dev/sdX bs=1M status=progress for a Clear, but prefer hdparm --user-master u --security-set-pass PASS /dev/sdX && hdparm --security-erase PASS /dev/sdX for ATA secure-erase (Purge). For NVMe devices use nvme format --namespace-id=1 --ses=1 /dev/nvme0n1 (vendor guidance required). For SEDs or full-disk-encrypted devices, perform crypto-shred by securely deleting the disk encryption keys (e.g., BitLocker: manage-bde -protectors -delete, or use your MDM to revoke keys). For removable media and USBs, use shred or secure-delete tools; verify with vendor utilities when available. For cloud storage, sanitize by deleting encrypted objects and rotating/removing encryption keys per your cloud provider's documented secure deletion processes and record the provider's deletion confirmation.
Checklist to sanitize or destroy FCI before disposal or reuse
- Identify media/device and FCI presence; tag asset in inventory.
- Decide method: Clear, Purge, or Destroy based on media type, risk, and reuse.
- If Clear/Purge: run approved tool (hdparm, nvme, vendor tool, crypto-shred) and capture tool output (logs/screenshots).
- If Destroy: engage certified recycler with certificate of destruction (e-Stewards or R2) or perform physical destruction and photograph serial numbers and shredded parts.
- Record chain-of-custody from decommission to destruction; include who handled media and timestamps.
- Store sanitization evidence with disposal record for audits (logs, COI, C of D, photos, MDM reports).
- Update asset inventory and adjust access control / key escrow records.
Real-world small-business scenarios: 1) Replacing employee laptops — before redeploying, use full-disk encryption (BitLocker/FileVault) in production; when decommissioning, perform crypto-erase by deleting keys or run vendor secure-erase and retain the log. 2) Returning leased devices — run the vendor's purge utility or physically destroy the internal drive if contract prohibits reuse. 3) Disposing of an MFD (printer/copier) — ensure the storage module is wiped by vendor service (get a service report) or remove and destroy the module. 4) Cloud backups — when contract ends, delete backup objects and rotate or destroy the encryption keys; request provider deletion confirmation for evidence.
Compliance tips and best practices: implement full-disk encryption from day one to simplify sanitization (crypto-shredding reduces time and cost), integrate sanitization steps into your IT asset lifecycle and ticketing system, require certificates of destruction from third-party recyclers, and train staff on media handling. Include sanitization verification steps in periodic internal audits and tabletop exercises. Maintain a small budget for occasional certified destruction services — cost-effective for small businesses and often less risky than DIY approaches that can fail and lead to breaches.
Risk of non-compliance: failing to sanitize or destroy FCI properly risks data leaks that can result in contract termination, civil penalties, loss of future federal work, reputational harm, and legal exposure under federal contracting rules. Even accidental data remnant exposure (e.g., a reused SSD with recoverable data) can trigger costly incident response, customer notifications, and remediation. Small businesses especially face outsized impacts because a single compliance lapse can undermine trust with multiple contracting officers.
In summary, meeting MP.L1-B.1.VII under FAR 52.204-21 / CMMC 2.0 Level 1 is a mix of policy, practical tools, and verifiable evidence: keep a labeled inventory, choose Clear/Purge/Destroy per NIST SP 800-88, use secure-erase or crypto-shred for SSDs, obtain certificates of destruction for physical disposal, and record everything for auditability. Follow these steps and the checklist above to turn a compliance requirement into an operational process that reduces risk and protects your business.
