Sanitizing media to remove Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) is a practical requirement under FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII; this post explains how to apply NIST SP 800-88 Rev.1 methods (Clear, Purge, Destroy) with concrete steps, tools, and small-business examples so you can build an auditable, cost-effective sanitization program.
How NIST 800-88 maps to FAR 52.204-21 / CMMC MP.L1-B.1.VII
NIST SP 800-88 provides the technical taxonomy and validated methods for media sanitization; FAR 52.204-21 and CMMC Level 1 require contractors to safeguard FCI and implement controls for media handling and disposal. Practically, this means your organization must (a) identify media that may contain FCI/CUI, (b) apply an appropriate NIST-sanctioned method (Clear, Purge, or Destroy) based on media type and reuse plans, and (c) document verification and chain-of-custody to prove compliance.
Clear, Purge, Destroy – choosing the right method
Follow a decision flow: if media will be reused internally and is magnetic HDD or logically accessible storage, "Clear" (e.g., single- or multi-pass overwrite) is usually sufficient; if media is to be reused externally or is high-risk (SSDs, removable flash, mobile devices), use "Purge" (cryptographic erase, degauss for magnetic tape) or "Destroy" (physical shredding) when purge is impractical. For example, modern SSDs typically require purge (ATA Secure Erase, NVMe sanitize, or cryptographic erase on self-encrypting drives) because wear-leveling can leave remnant data after overwrites; NIST 800-88 explicitly warns about overwrite limitations on flash-based media.
Implementation steps for a small business
Start with a simple SOP and asset inventory: tag devices (laptops, desktops, external drives, USB sticks, phones, MFPs, backup tapes), classify which assets may host FCI, and set a sanitization trigger (decommission, employee exit, lease return). Implement full-disk encryption (FDE) on all endpoints (BitLocker, FileVault, LUKS) as a baseline—FDE plus controlled key management enables cryptographic erase (destroy the keys) as an effective purge step. Example: a 10-person company can enable BitLocker with keys backed up to Intune/Azure AD; when a laptop is retired, remove keys from escrow and run manufacturer secure-erase or a verified vendor erase service before resale or recycling.
Technical methods and tools (practical, auditable choices)
Use vendor and community tools aligned with device types: for HDDs, hdparm with ATA Secure Erase is reliable (set a temporary password, then issue --security-erase); for SSDs prefer the drive vendor's secure erase or the built-in sanitize/secure-erase commands (nvme-cli or vendor utilities) rather than overwriting with zeros. For Windows free-space wiping, use SDelete (sdelete -z) for clearing free space; for evidence and audit, capture tool output and serial numbers and store a certificate of erasure. For tapes, degaussing or physical destruction works; for cloud storage, implement and document cryptographic key destruction or tenant/volume deletion procedures with the cloud provider's documented APIs—destroying encryption keys is considered cryptographic erase by NIST and is effective for cloud/virtual disks when keys are unique per-tenant or per-volume.
Special cases: SSDs, MFDs, mobile devices, and backups
SSDs: do not rely solely on multi-pass overwrites. Use ATA Secure Erase, NVMe sanitize, or cryptographic erase for SEDs (OPAL/PSID revert). MFDs/printers: follow vendor sanitization procedures and, if feasible, remove and destroy internal storage modules; retain vendor certificates for audit. Mobile phones/tablets: use MDM remote wipe and factory reset, combined with encryption and key management so that a wiped device cannot be recovered. Backups: ensure retention policies remove FCI and run sanitization on hardware holding backup copies; if backups are in the cloud, document how snapshots and copies are sanitized and when keys are destroyed to meet purge requirements.
Risks, verification, and compliance tips
Risk of not sanitizing properly includes data leakage, contract termination, monetary penalties, and reputational damage. To mitigate these risks: (1) maintain an auditable chain-of-custody and certificate of sanitization (tool output, serial numbers, operator, date), (2) include sanitization clauses in vendor and recycler contracts requiring a certificate of destruction, (3) test and verify tools on representative hardware and keep test logs, and (4) train staff on triggers and escalation. For audits, be ready to show the policy, inventory, method selection rationale (why Clear vs Purge vs Destroy), and verification evidence.
Summary: implement an asset-tagging + classification policy, default to full-disk encryption with controlled key management, apply NIST 800-88 methods matched to media type (use vendor secure-erase, cryptographic erase, or physical destruction as appropriate), maintain documentation and certificates for every sanitized asset, and incorporate sanitization into procurement, HR offboarding, and disposal workflows to satisfy FAR 52.204-21 and CMMC MP.L1-B.1.VII.
