This post explains how to design and implement a media destruction policy that satisfies FAR 52.204-21 basic safeguarding requirements and CMMC 2.0 Level 1 control MP.L1-B.1.V.II (media protection - destruction), giving you concrete procedures, technical guidance, templates, and small-business examples to make the policy operational and auditable.
Why a media destruction policy is required and what’s at risk
FAR 52.204-21 obligates contractors to protect covered contractor information on their information systems and CMMC Level 1 explicitly requires media protection controls including disposal/destruction. Without documented, repeatable destruction procedures you risk accidental disclosure of sensitive information (including Controlled Unclassified Information), regulatory non‑conformance, contract penalties, lost trust with prime contractors, and data breach liability. For example, a 20‑employee subcontractor that resells used laptops without proper sanitization could inadvertently expose names, contract excerpts, or system credentials—causing a prime contractor to fail an audit or lose a contract.
Key components of a compliant media destruction policy
A complete policy for Compliance Framework should include: scope and applicability (types of media covered: HDD, SSD, removable media, paper, CDs, backup tapes, mobile devices, cloud storage keys), roles and responsibilities (IT, security manager, facilities, approved vendor), approved destruction methods mapped to media types, inventory and labeling requirements, chain‑of‑custody and transport controls, vendor qualification and contract clauses, records retention and certificates of destruction, verification and sampling procedures, and exception/retention workflows. Define clear mapping from CUI or Covered Contractor Information classification to destruction timelines and methods.
Technical methods and implementation notes (practical guidance)
Follow NIST SP 800‑88 Rev. 1 guidance for media sanitization as the technical baseline. Practical notes: magnetic HDDs: use DoD‑style three‑pass overwrite or ATA Secure Erase and verify; degaussing is effective for magnetic media but requires an appropriate strength degausser and renders media unusable; SSDs and NVMe: overwriting is unreliable due to wear leveling—use vendor ATA Secure Erase/cryptographic erase (if full disk encryption was used) or physical destruction (shredding, disintegrating) certified for SSDs; optical media and tapes: shred or incinerate or use vendor-approved degaussing for tapes; mobile devices: factory reset is not sufficient—perform full device encryption and crypto‑erase or physical destruction. For cloud or managed SaaS, document key destruction and deletion of backups; key destruction (crypto‑erase) can satisfy sanitization when full‑disk encryption was consistently applied.
Step-by-step procedure and chain-of-custody
Implement a simple, auditable procedure: 1) Asset identification & classification: log asset type, serial, user, and CUI presence; 2) Preparation: remove batteries and peripherals, record asset ID and reason for disposal; 3) Transport: place in tamper‑evident bag or locked container and record chain‑of‑custody form; 4) Sanitization/destruction: perform approved method (overwrite, crypto‑erase, degauss, shred) and capture supporting output (secure-erase logs, vendor certificate, photos of shredder discharge); 5) Verification: sample 5–10% for forensic checks or validate secure‑erase return codes; 6) Documentation: store Certificate of Destruction (CoD) with asset record for the retention period specified in contract or company policy. Use tamper‑evident seals, pre-numbered transport forms, and electronic logs with who/when/location to demonstrate control.
Templates you can adapt (policy clauses and CoD)
Use the following starter language and adapt per your environment: Sample policy clause: "All media containing Covered Contractor Information or CUI must be sanitized or destroyed prior to disposal as specified in this policy. Approved methods: (a) magnetic media – Secure Erase followed by verification OR physical destruction; (b) SSD/NVMe – crypto‑erase or physical destruction; (c) paper – cross‑cut shredding to 1mm x 5mm or pulping. The Security Officer must maintain an asset disposal log and Certificates of Destruction for a minimum of [contract-specified retention period]." Sample Certificate of Destruction (fields to capture): Company Name; Vendor Name (if applicable); Date; Asset Type; Serial/Asset Tag; Quantity; Presence of CUI (Yes/No); Destruction Method Used; Serial Nos. of Equipment Used (shredder ID/degausser); Signature/Name of Operator; Photo Evidence Location/Link. Keep CoDs as electronic PDFs in a versioned repository and back them up per normal records management.
Small-business scenarios and vendor selection
Scenario A — in‑house: A 15-person engineering subcontractor can buy a cross‑cut shredder rated for SSDs? (Note: ensure shredder specs indicate SSD capability) and use a written chain‑of‑custody. This is cost‑effective but requires training, lockable storage, and a written test/verification program. Scenario B — vendor: A 50-person supplier may use a certified destruction vendor for bulk assets; require vendor SOC 2 or similar evidence, obtain a signed CoD detailing methods (shredder model, degausser strength), and include audit rights in the contract. Vendor due‑diligence checklist: proof of physical security, method certification, insurance, evidence retention, sample CoD, and references. Small businesses should weigh the cost of a one‑time vendor run versus maintaining internal capability and ensure the selection is documented in the policy.
Compliance tips and best practices
Best practices: map media destruction procedures to specific contract clauses and CUI categories; enforce full‑disk encryption from day one to enable safe crypto‑erase later; log every disposal with timestamps and actor identity; perform quarterly reconciliation between asset inventory and disposal logs; incorporate destruction steps into offboarding; train staff annually and test the process with surprise spot‑checks; and maintain metrics such as time‑to‑destruct and percentage of destructions with CoDs. For audits, prepare a binder or digital folder with policy, sample CoDs, vendor contracts, verification reports, and recent audit logs.
In summary, building a compliant media destruction policy for FAR 52.204-21 and CMMC 2.0 Level 1 requires a clear scope, approved methods mapped to media types, documented chain‑of‑custody and verification steps, and retained evidence (Certificates of Destruction). Use NIST SP 800‑88 as the technical baseline, make pragmatic choices for small‑business scale (in‑house vs. vendor), and codify procedures so anyone in your organization can follow them reliably—doing so reduces the risk of data exposure and demonstrates defensible compliance to primes and auditors.
