Creating a media sanitization procedure that satisfies FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.V.II requirements for Federal Contract Information (FCI) is about repeatable processes, clear responsibilities, and documented evidence — this post gives small businesses a practical, step-by-step blueprint (with checklists and template text) to implement a compliant program as part of your broader Compliance Framework.
Why this matters (and the Compliance Framework angle)
Under the Compliance Framework you are required to implement basic safeguarding for FCI; effective media sanitization removes sensitive data from storage media before reuse, transfer, or disposal and prevents data leakage that could result in contract penalties, lost business, or reputational damage. Using a formal procedure mapped to FAR 52.204-21 and the CMMC Level 1 practice ensures your controls are auditable and repeatable, and that you can provide evidence to primes, contracting officers, or assessors.
Scope and definitions for your procedure
Define the scope in your Compliance Framework artifact: what counts as media (hard drives, SSDs, USB drives, mobile devices, CDs/DVDs, printed materials), what is FCI in your environment, and excluded assets (e.g., commercial-off-the-shelf devices holding no FCI). Use NIST SP 800-88 Rev. 1 terminology (clear, purge, destroy) in your procedure and identify roles: Asset Owner, Information System Security Officer (ISSO), IT Administrator, and Disposal Vendor. Include a mapping section that explicitly ties each step to FAR 52.204-21 and MP.L1-B.1.VII for auditors.
Step-by-step sanitized media workflow (practical implementation)
Implement a simple, enforceable workflow: (1) Inventory media and tag items with unique asset IDs when introduced; (2) Classify any data on the media as FCI or non-FCI; (3) Determine sanitization method per media type and intended disposition; (4) Execute sanitization using validated tools or a certified destruction vendor; (5) Record the action in a Media Sanitization Log with signatures; (6) Verify sanitization (log checksums, tool output, or vendor certificate); (7) Update inventory and destroy labels or remove asset records as appropriate. Automate steps where possible (e.g., centralized asset database, endpoint management) and require approval from the Asset Owner before reuse or disposal.
Technical methods and verification details
Choose methods appropriate to the media: for magnetic HDDs use DoD 5220.22-M style multi-pass wipes or "purge" via firmware-based Secure Erase (ATA Secure Erase); for SSDs prefer vendor block erase/crypto-erase or physical destruction because multi-pass overwrites are unreliable on wear-leveled flash; for mobile devices factory-reset with key destruction plus encryption, or physical destruction for end-of-life. Use tools with verifiable logs: SDelete (Windows) with output capture, manufacturer secure-erase utilities with serial-numbered logs, or mobile MDM issued wipe reports. Retain verification artifacts (tool logs, hash comparisons, vendor certificates) in your Compliance Framework evidence repository for the contract retention period (or at least until audit).
Small-business scenarios and real-world examples
Example A: A 12-person consulting firm that handles FCI on laptops repurposes machines for interns. Procedure: before redeploy, IT runs the vendor Secure Erase (Samsung/Crucial toolkit) and documents serial number, tool name, date, operator, and a success log. If Secure Erase is unsupported, the firm contracts a shredding vendor and keeps the certificate of destruction. Example B: An MSP receives client-supplied USB drives; policy says never connect untrusted media and any received drives are immediately logged and either returned, sanitized by vendor-certified USB shredding, or destroyed. Example C: A small manufacturer replaces PLC flash cards — they use physical destruction because controllers lack secure-erase capabilities; the ISSO documents chain-of-custody and disposal certificates.
Checklist & templates (ready-to-adopt language)
Use this short checklist when executing sanitization: 1) Confirm asset ID and media type; 2) Confirm presence of FCI and owner approval; 3) Select sanitization method (Clear/Purge/Destroy); 4) Run tool or arrange vendor; 5) Capture verification evidence (logs/certificates); 6) Update asset inventory and incidentally revoke access keys; 7) Store evidence in evidence repository. Template fields to include in a Media Sanitization Record: Asset ID; Serial Number; Media Type; Data Classification (FCI/Non-FCI); Sanitization Method (name and version of tool or vendor); Operator Name; Date/Time; Verification Output (attach log or certificate reference); Destination (reuse, recycle, landfill); Approver Signature and Date. Sample Certificate of Destruction line: “On {date}, vendor {name} destroyed media with serials {list} via {method}; certificate ID {#}; signed {vendor rep}.” Put this exact template into your Compliance Framework documentation as a fillable form.
Compliance tips, best practices, and risks of non-implementation
Best practices: codify roles in job descriptions, require pre-approved vendor lists with proof of insurance and certifications, preserve chain-of-custody forms, schedule quarterly media inventories, and run annual sanitization audits that sample sanitized items and verify logs. Technical tips: prefer encryption-at-rest so you can perform crypto-erase for some disposals (destroying keys is defensible), store logs in immutable storage, and use centralized MDM/endpoint tools to generate wipe reports. Risk if you fail: leaking FCI can trigger contract noncompliance under FAR 52.204-21, loss of contracts, possible reporting obligations, and in CMMC contexts failing an assessment which blocks future DoD work; operational risks include ransomware exposure and intellectual property loss.
Summary: Build your media sanitization procedure into the Compliance Framework by defining scope, mapping to FAR 52.204-21 and CMMC MP.L1-B.1.VII, implementing the inventory→sanitization→verification workflow, adopting clear technical methods (NIST SP 800-88-aligned), and keeping auditable evidence (logs, certificates, chain-of-custody). For small businesses this can be lightweight but must be consistent — use the provided checklist and templates to reduce risk and demonstrate compliance during audits or contract reviews.
