If your small business handles Federal Contract Information (FCI) or is pursuing CMMC 2.0 Level 1, you need a concise, practical media disposal policy mapped to FAR 52.204-21 and CMMC control MP.L1-B.1.V.II — this post gives a complete implementation approach, a checklist you can use today, and ready-made templates for policy text and destruction logs.
Why a media disposal policy matters for Compliance Framework requirements
Both FAR 52.204-21 (Basic Safeguarding of Covered Contractor Information Systems) and CMMC Level 1 require contractors to safeguard FCI and control media that contains it during disposition; MP.L1-B.1.V.II is the media protection disposal control in the Compliance Framework mapping. Without documented, repeatable disposal processes you expose sensitive contractor information to leaks, risk contract noncompliance, financial penalties, lost contracts, and reputational damage — and small businesses are often targeted because they have limited controls and inventory practices.
Core components to include in your media disposal policy (Compliance Framework specific)
At a minimum, your policy should define scope (media types and systems), roles and responsibilities, approved sanitization and destruction methods aligned with NIST SP 800-88 Rev. 1, inventory and chain-of-custody procedures, approval and logging requirements, approved vendors and certificates of destruction, retention and audit intervals, and training requirements. Map each requirement to MP.L1-B.1.V.II in the policy so auditors see how procedures satisfy the Compliance Framework control.
Practical implementation steps — making it operational for a small business
1) Inventory: Build a simple asset register (spreadsheet or CMDB) listing serials, asset owner, media type (HDD/SSD/tape/USB/mobile/cloud snapshot), and classification (FCI vs. non-FCI). 2) Categorize risk: Flag any media that held FCI/CUI for elevated handling. 3) Select methods: Assign a sanitization method per media type (see technical section). 4) Approvals: Require manager sign-off for final disposal and procurement of vendor services. 5) Execute & document: Perform sanitization, capture supporting evidence (screenshots, tool output, vendor CoD), and enter entries into a Disposal Log. 6) Audit: Schedule quarterly/annual reviews of logs and spot-checks. For a small shop, these steps can be implemented with a single admin and a shared spreadsheet plus an offsite rotated drive locker for secure staging.
Technical methods and recommendations (specific, actionable)
Follow NIST SP 800-88 Rev. 1 guidance: for magnetic HDDs use cryptographic erase or overwrite (when applicable) or physical destruction; for SSDs prefer secure-erase/crypto-erase or physical destruction because overwrites are unreliable on many flash controllers. Use vendor utilities (ATA Secure Erase via hdparm or vendor tools) for HDDs, and NVMe/SSD vendor secure-erase or crypto-erase options for SSDs. For removable media (USB drives, SD cards), use secure-format tools or physical shredding. For tapes, use degaussing followed by physical destruction. For cloud virtual disks and snapshots, delete snapshots and ensure keys used for encryption are securely destroyed (a cryptographic erase of the encryption key is an effective method). Always validate: capture tool output (hash, sanitize command status) or obtain a Certificate of Destruction from a NAID AAA or similarly accredited vendor. Example: before issuing an ATA secure erase you might use 'hdparm --user-master u --security-set-pass p /dev/sdX' then 'hdparm --security-erase p /dev/sdX' — only after verifying the drive is not in RAID and you have backups.
Checklist: pre-disposal and disposal verification (use this)
Use the following checklist before completing disposal — each item maps to an MP.L1-B.1.V.II evidence requirement:
- Is the media in the asset register and labeled with owner and classification?
- Has the media been flagged as FCI? If yes, assigned to elevated handling?
- Has the approved sanitization method been selected (erase, degauss, physical destruction)?
- Has a backup been confirmed and stakeholders notified where applicable?
- Was sanitization executed using approved tooling or performed by an accredited vendor?
- Is there verification evidence (tool output, serial numbers, photo, or vendor CoD)?
- Has the Disposal Log been updated with date, method, actor, witness, and evidence reference?
- Is the destruction recorded and retained per contract/audit retention requirements?
Templates: media disposal policy excerpt and disposal log
Drop these into your compliance documentation and edit for company-specific names, retention periods, and signatures.
Media Disposal Policy (excerpt) 1. Purpose To ensure secure, auditable disposal of media containing Federal Contract Information (FCI) in accordance with FAR 52.204-21 and CMMC MP.L1-B.1.V.II. 2. Scope Applies to all physical and electronic media owned or controlled by [Company] that may contain FCI, including HDDs, SSDs, tapes, USB drives, mobile devices, backup media, and cloud-based storage snapshots. 3. Roles & Responsibilities - Asset Owner: Confirm data no longer required and approve disposal. - IT Administrator: Perform or oversee sanitization. - Compliance Officer: Review Disposal Log and maintain records for X years. 4. Approved Methods - HDDs: ATA Secure Erase or DoD-level overwrite OR physical destruction. - SSDs: Vendor Secure Erase / Cryptographic Erase recommended; if unavailable, physical destruction. - Tapes: Degauss then shred/incinerate. - Mobile Devices: Factory reset plus physical destruction for devices that held FCI. - Cloud: Delete snapshots and securely destroy encryption keys where applicable. 5. Documentation All disposals must be recorded in the Disposal Log and include: asset ID, media type, serial number, classification, date, method, actor, witness (if required), and evidence reference (CoD file number or tool output).
Disposal Log (CSV columns) Date,Asset ID,Asset Type,Serial/Identifier,Classification,Owner,Sanitization Method,Tool/Provider,Proof/File Ref,Performed By,Witness,Certificate of Destruction Ref,Retention Expiration 2026-03-15,LPT-004,Laptop,SN12345,FCI,Jane Doe,ATA Secure Erase,hdparm,/evidence/erase_sn12345.txt,ITAdmin1,SecurityMgr1,CoD-20260315-001,2029-03-15
Compliance tips, vendor selection, and best practices
1) Use accredited vendors (NAID AAA or equivalent) for bulk destruction and keep CoDs. 2) Maintain chain-of-custody for high-risk media — document handoffs until destruction. 3) Apply separation of duties — the person approving a disposal should not be the only one executing it. 4) Keep logs and evidence for the retention period defined by your contract (if not specified, use 3 years as a practical baseline). 5) Train staff on recognizing FCI and the disposal process, and include contract flow-down with subcontractors to ensure vendor compliance. 6) Periodically test your disposal process via internal audits and spot-checks (verify recorded CoDs against physical serials).
Conclusion
Building a media disposal policy that meets FAR 52.204-21 and CMMC 2.0 Level 1 (MP.L1-B.1.V.II) is straightforward for small businesses when you inventory media, pick NIST-aligned sanitization methods, require approvals and evidence, and keep a simple Disposal Log and Certificates of Destruction — doing so reduces breach risk, demonstrates compliance during audits, and protects your contracts and reputation.
