This post explains how small businesses and contractors can design and operate a practical media disposal procedure that meets FAR 52.204-21 basic safeguarding and CMMC 2.0 Level 1 control MP.L1-B.1.VII (media disposal), with an actionable checklist, implementation notes, and ready-to-use templates you can adopt today.
Why media disposal matters for FAR 52.204-21 and CMMC 2.0 Level 1
FAR 52.204-21 requires basic safeguarding of contractor information systems that process Federal Contract Information (FCI) and related sensitive data; CMMC 2.0 Level 1 MP.L1-B.1.VII specifically expects you to control the disposal of media that may contain such information. If disposal is not handled correctly, residual data on retired laptops, USB drives, printouts, or mobile devices can lead to data breaches, contract noncompliance, loss of contracts, and reputational damage. Small businesses are particularly at risk because they often reassign hardware, use third-party recycling, or lack formal logs and vendor controls.
Key objectives and high-level approach (Compliance Framework practice)
Your media disposal procedure should achieve three objectives: (1) identify and classify media that may contain FCI or CUI, (2) ensure approved sanitization or destruction methods are used, and (3) maintain auditable records (chain of custody, certificates) to demonstrate compliance. In Compliance Framework terms, this is a Practice-level activity: document the process, assign roles, implement technical controls, and verify through records and periodic review.
Practical implementation steps
Start by creating a media inventory and owner model: tag devices (laptops, desktops, external drives, SD cards, printers with disks) and assign an owner (IT administrator, asset manager). Implement a simple check-in/out and return requirement—items must be returned to IT prior to reassignment, resale, or disposal. For daily operations, enforce full-disk encryption on endpoints (BitLocker, FileVault) and mobile device management (MDM) so that if you need to dispose of media you can leverage cryptographic erasure as a sanitization method where allowed.
Sanitization methods, technical specifics, and small-business examples
Follow NIST SP 800-88 Rev. 1 guidance: choose Clear, Purge, or Destroy based on the media type and sensitivity. Examples: (a) Magnetic HDDs — full overwrite (single-pass is typically acceptable) or degaussing, then physically destroy for higher assurance; (b) SSDs and mobile devices — use vendor Secure Erase or cryptographic erase (destroy keys) and/or physical destruction because overwrites may not be reliable; (c) Removable media (USB sticks) — prefer physical destruction for CUI; (d) Paper — cross-cut shredding or incineration. Real-world small-business scenario: a 12-person defense subcontractor retiring 6 laptops should require IT to verify BitLocker is enabled, perform a cryptographic key zeroization, then record the serial and disposal method in a disposal log before handing devices to a NAID-certified recycler for shredding. Use MDM to remotely wipe phones and retain evidence of wipe completion.
Chain of custody, checklist, and vendor controls
Maintain an auditable chain of custody and require a Certificate of Destruction (CoD) from vendors. Practical checklist items to include (use this as a control worksheet during disposal):
- Inventory entry exists for the asset and owner is recorded.
- Sensitivity level of the media (FCI/CUI/None) is recorded.
- Encryption status confirmed (Full-disk encryption enabled Y/N).
- Sanitization method selected (Clear/Purge/Destroy) and justification.
- Sanitization executed by named individual or vendor; timestamp recorded.
- Chain of custody documented from organization to destruction vendor.
- Certificate of Destruction obtained and attached to record.
- Disposal record retained per retention policy and available for audit.
Compliance tips and best practices
For small teams: (1) default to encryption-first — if every endpoint is encrypted, disposal often reduces to key destruction, which is quick and auditable; (2) standardize vendors — use NAID-certified vendors and keep a vendor SLA that lists sanitization methods; (3) automate where possible with asset management and MDM to generate logs and confirmation receipts; (4) train non-IT staff on what qualifies as media (e.g., printed rosters, backup tapes, USB drives); (5) maintain an approved exceptions process for retention holds (litigation, FOIA) and ensure legal/contract teams sign off before disposal.
Templates: policy, disposal log, and certificate of destruction
Below are concise templates you can copy and modify to fit your Compliance Framework documentation.
Media Disposal Policy - [Company Name] Scope: Applies to all media (electronic and paper) that may contain FCI/CUI owned, leased, or processed by [Company Name]. Policy: - All endpoints must enable full-disk encryption (e.g., BitLocker, FileVault). - Media owners must submit items to IT for sanitization prior to reassignment, resale, or disposal. - Sanitization must follow NIST SP 800-88 Rev.1: Clear, Purge, or Destroy as appropriate. - Third-party vendors must be NAID-certified; obtain Certificate of Destruction for each disposal batch. - Records retained for [X years] to support audits and contract requirements. Roles: - Asset Owner: initiates disposal request. - IT Security: validates classification, executes or oversees sanitization, updates inventory. - Compliance Officer: performs periodic audits and retains CoD. Exceptions: All exceptions must be approved in writing by [Title].
Media Disposal Log (CSV columns) AssetTag,AssetType,SerialNumber,Owner,Classification(FCI/CUI/None),Encryption(Y/N),DisposalMethod(Clear/Purge/Destroy),SanitizationDate,PerformedBy,VendorName,VendorCoDNumber,CoDDate,Notes
Certificate of Destruction (vendor) Vendor: [Vendor Name] NAID#: [NAID number] CoD ID: [Unique ID] Date: [MM/DD/YYYY] Items Destroyed: [List or batch identifier] Destruction Method: [Shredding/Degaussing/Disintegration/Incineration] Verification: [Statement that destruction was completed and details] Authorized Signature: _____________________
Risk of non-implementation: failing to implement these procedures increases the likelihood of residual-data exposure, regulatory findings, contract penalties or loss, and expensive breach response. Even a single lost USB or a recycled laptop with recoverable files can lead to mandatory incident reporting and loss of future government work.
Summary: Build a concise media disposal procedure that inventories media, enforces encryption, selects approved sanitization methods (aligned with NIST SP 800-88), captures chain-of-custody and CoDs, and uses NAID-certified vendors when outsourcing. Use the checklist and templates above to create immediate, auditable controls that satisfy FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII while keeping the process practical for a small business.
