Proper sanitization of hard drives and removable media is a must for any organization that handles Federal Acquisition Regulation (FAR) covered information and wants to satisfy CMMC 2.0 Level 1 control MP.L1-B.1.VII; picking the right tools and techniques requires matching media type, threat model, and evidence requirements to proven methods so you can both reduce risk and produce audit-ready records.
Understand the compliance and technical baseline
FAR 52.204-21 requires contractors to safeguard federal information on contractor systems, and CMMC 2.0 Level 1 MP.L1-B.1.VII addresses media protection including sanitization before disposal or reuse. NIST SP 800-88 (Guidelines for Media Sanitization) is the de facto technical baseline: it defines three outcomes—Clear (logical sanitization/overwrite), Purge (deeper sanitization such as degauss or crypto-erase), and Destroy (physical destruction). Your tool and technique selection must map to these outcomes and to the sensitivity of the data (e.g., Federal Contract Information vs. Controlled Unclassified Information).
Match method to media type and sensitivity
Not all media are created equal: spinning hard drives (HDDs), solid-state drives (SSDs), USB flash drives, SD cards, and optical media each require different approaches. For HDDs, software overwrites (Clear) or ATA Secure Erase (Purge) are effective; DBAN (Darik's Boot and Nuke) is still useful for older HDDs but is not suitable for SSDs. For SSDs and NVMe devices use vendor secure-erase tools or the drive's built-in secure erase (e.g., hdparm --security-erase for ATA drives, nvme format --security-erase or nvme-cli for NVMe) or rely on crypto-erase for self-encrypting drives (SEDs). For removable flash media, prefer cryptographic protection or physical destruction because wear-leveling can prevent reliable overwriting.
Practical implementation steps for a small business
Implement a simple process: 1) Inventory and classify devices (maintain a CMDB that records serial numbers, owner, and data classification). 2) Apply pre-sanitation measures—if the device was used for sensitive data, place it in restricted storage. 3) Choose the method: Clear for low-sensitivity, Purge for moderate/high-sensitivity, Destroy for the highest risk or end-of-life. 4) Execute using the correct tool and record results (who did it, when, method, tool/version, device ID). 5) Verify via sampling or forensic checks and retain a certificate of destruction for disposed devices. For example, a small defense subcontractor can require FDE on all new laptops and perform crypto-erase (delete the encryption key) at retirement, while using a certified destruction vendor for older unencrypted SSDs.
Specific technical tools and commands (examples)
Use vendor and platform-supported commands when possible. Examples: for ATA HDDs, secure-erase via hdparm:
hdparm --user-master u --security-set-pass password /dev/sdX hdparm --security-erase password /dev/sdXFor NVMe:
nvme format /dev/nvme0n1 -s 1For SEDs use sedutil or vendor management tools to perform a cryptographic erase (crypto-erase). Avoid using overwrite-only tools on SSDs (DBAN or simple dd) because of wear-leveling; instead use vendor secure-erase or physical destruction. For verification, sample reads with forensic tools (e.g., FTK Imager, Autopsy) or use hexdump/strings to ensure no readable remnants remain; for crypto-erase verification, verify the device no longer returns accessible partitions or the drive returns random data patterns.
Use of third-party destruction and certificates
If you outsource destruction, vet vendors for chain-of-custody, on-site destruction capabilities, and written certificates of destruction (CoD) that include device serial numbers. For small businesses without in-house shredders or crushers, use an NAID AAA-certified vendor when handling high-value or regulated media. Maintain vendor contracts and CoDs as audit evidence for FAR/CMMC assessments. When contracting destruction, require witnessing options and request a detailed manifest listing each device by ID.
Risk of non-compliance and practical compliance tips
Failing to sanitize media properly risks data breach, disclosure of covered contractor information, contract penalties, loss of future government work, and reputational harm. Practical compliance tips: default to full-disk encryption on all endpoint devices so retirement can be simplified with crypto-erase; document standard operating procedures that map sanitization methods to data sensitivity; maintain logs, screenshots, or tool output as evidence; train personnel on approved tools and chain-of-custody procedures; and run periodic audits (e.g., quarterly spot checks) using forensic read tools to confirm processes are followed.
Conclusion
Selecting the right tools and techniques to sanitize hard drives and removable media for FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII compliance requires an inventory-driven policy, NIST 800-88-based method selection (Clear, Purge, Destroy), using platform-appropriate secure-erase or cryptographic methods for SSDs and NVMe, and producing verifiable records and certificates of destruction; small businesses can pragmatically reduce risk by enforcing full-disk encryption, maintaining simple SOPs, and either investing in the correct in-house tools or qualifying reputable destruction vendors.
