Sanitizing media containing Covered Defense Information (CDI) or other sensitive data is a non-negotiable requirement under FAR 52.204-21 and CMMC 2.0 Level 1 (MP.L1-B.1.VII); selecting the right techniqueâoverwriting, degaussing, or physical destructionâdepends on media type, threat model, and operational constraints, and must be supported by documented procedures, verification, and records.
Understand the requirement and the practical risk
FAR 52.204-21 requires basic safeguarding of unclassified controlled technical information and other sensitive information, while CMMC 2.0 Level 1 requires that media be protected and sanitized or destroyed when no longer needed. Practically, this means you must ensure that CUI/CDI cannot be reconstructed from disposed devices. The risk of failing to properly sanitize includes unintended disclosure of sensitive data, contract violations, loss of contracts, reputational damage, regulatory penalties, and potential cybersecurity incidents.
Map sanitization choices to media types
Not all media are equal. For magnetic hard disk drives (HDDs) and backup tapes, logical overwriting or degaussing are viable; for solid-state drives (SSDs), USB flash media, and embedded flash, overwriting is unreliable due to wear-leveling and remappingâuse secure erase (crypto-erase) or physical destruction. Optical media (CD/DVD) and some removable storage may require shredding or incineration. Start by inventorying your media, classifying data holdings (CUI/CDI vs. non-sensitive), and tagging media types in your asset register so the sanitization method can be chosen consistently.
HDDs and tape guidance
For magnetic HDDs, a single-pass overwrite with a modern tool that writes a random pattern followed by a zero pattern is typically sufficient for âclearingâ when the drive will remain in a trusted environment; however, for higher assurance or when drives leave your control, consider using a purge method such as degaussing (for magnetic media) or physical destruction. For tape cartridges used for backups, degaussing is commonly used and effectiveâprovided the degausser is rated for the tape's coercivity and the entire cartridge is exposed. Always check vendor specs and perform validation runs to confirm the degausser model you select fully erases your specific tape lineage.
SSD, NVMe, and flash-specific details
SSDs and flash-based devices require special handling: overwriting does not guarantee that remapped or over-provisioned blocks are sanitized. Preferred methods include: using the drive's built-in Secure Erase (ATA Secure Erase, NVMe format with secure erase) or cryptographic erase for self-encrypting drives (SEDs) where cryptographic keys can be securely destroyed. If the device does not support reliable secure erase or you cannot validate the operation, physical destruction (shredding, degaussing is ineffective on flash) is the appropriate option. Document the model, firmware, and method used, and retain any vendor tool logs or output as evidence.
Degaussing, overwriting, and destructionâtechnical considerations
Degaussing is a magnetic field-based purge that can render magnetic media unreadable; itâs fast and useful for tapes and many HDDs but will typically destroy drive electronics (so the drive cannot be reused) and is ineffective against SSDs. When selecting a degausser, choose one that lists compatibility with your media (e.g., specific tape formats or enterprise HDDs) and keep calibration and maintenance records. Overwriting should use certified erasure tools (e.g., Blancco, Parted Magic with secure erase utilities) capable of producing verifiable logs; avoid relying on OS-level formatting commands. For physical destruction, ensure the method renders media unrecoverableâcommon approaches include industrial shredding to a small particle size, pneumatic crushing, or incinerationâand obtain a Certificate of Destruction from a NAID or ADISA accredited vendor when using third-party disposal.
Implementation steps and small business scenarios
Implementation checklist: 1) Inventory and classify media; 2) Define acceptable sanitization methods by media type in your Compliance Framework SOP; 3) Procure the right tools (degausser rated for your tapes/HDDs, secure-erase-capable software, or a certified destruction vendor); 4) Train staff and require chain-of-custody forms; 5) Log each sanitization event with asset ID, method, operator, and certificate or tool output; 6) Periodically validate your processes with forensic checks. Example: A small defense subcontractor replacing 10 laptops should: back up required CUI, perform full-disk encryption while in service, use ATA Secure Erase or vendor-supplied cryptographic erase on NVMe drives where supported, and physically shred any USB drives that cannot be reliably erasedâretain a signed certificate of destruction before recycling.
Best practices, verification, and compliance tips
Best practices include enforcing whole-disk encryption for all CUI at rest (reduces exposure if media is lost), never relying on quick format, keeping chain-of-custody and Certificates of Destruction for third-party vendors, and using NIST SP 800-88 Rev. 1 principles (Clear, Purge, Destroy) as your policy backbone. Validate your sanitization by attempting targeted recovery on a random sample using forensic tools or by contracting an independent test. Maintain a list of approved tools and vendors, update it annually, and include sanitization steps in regular employee training. For procurement, prefer devices that support secure erase or are self-encrypting to simplify future sanitization.
Consequences of noncompliance and risk mitigation
Failure to implement proper sanitization can lead to data recovery from discarded drives, exposing CUI and causing security incidents that trigger reporting obligations under FAR and CMMC, contract termination, and financial or legal consequences. To mitigate risk, implement defense-in-depth: encrypt data at rest, limit CUI on removable media, centralize backups in an encrypted repository, and enforce a clear end-of-life sanitization workflow tied to your asset management system so no device leaves the company without documented sanitization.
Summary: Choosing the right sanitization method for FAR 52.204-21 and CMMC 2.0 Level 1 requires an inventory-driven approach that maps media types to NIST-guided actionsâclear (overwriting) where appropriate, purge (degaussing or crypto-erase) when higher assurance is needed, and destroy (physical shredding) when other methods are not feasibleâcombined with documented procedures, verification, and retained evidence to demonstrate compliance and to protect your organization from data leakage and contractual risk.
