This post gives a practical, auditable compliance checklist you can implement today to meet FAR 52.204-21 and CMMC 2.0 Level 1 practice MP.L1-B.1.VII — sanitize or destroy media before disposal or reuse — including implementation notes, technical options, small-business scenarios, and record-keeping steps tailored to a Compliance Framework approach.
What the control requires and why it matters
At a high level the control requires that all media containing Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) be sanitized (cleared or purged) or physically destroyed before the media leaves your control or is repurposed. This reduces the risk that residual data can be recovered by unauthorized parties. For compliance under a Compliance Framework, your organization must translate that requirement into documented policy, repeatable procedures, tools and evidence that an auditor or contracting officer can verify.
Step-by-step compliance checklist (high level)
1. Inventory and classification
Create and maintain an asset register that lists every storage medium type: laptops, desktops, removable USBs, external HDD/SSD, backup tapes, cloud storage snapshots, printers/copiers with hard drives, mobile devices, and IoT/logging devices. For each item record owner, last known data type (FCI/CUI/Unclassified), location, and disposition state. For small businesses, a simple spreadsheet or lightweight CMDB that records serial numbers and lifecycle stage is sufficient when combined with periodic spot checks.
2. Policy, roles, and procedures
Document a Media Sanitization Policy tied to your Compliance Framework: define acceptable sanitization methods per media type, assign responsible roles (Asset Owner, IT Ops, Facilities, Security Officer), and set approval gates. Include procedures for: pre-sanitation data discovery (confirming data presence), quarantine/segregation of media awaiting disposal, execution of sanitization, verification (sampling and checksums where applicable), chain-of-custody for external vendors, and retention of Certificates of Destruction (CoD). Make the policy part of your contract onboarding and off-boarding SOPs.
3. Sanitization methods and technical details
Follow NIST SP 800-88 (Clear, Purge, Destroy) as your technical reference: "Clear" (logical techniques like standard file erase and cryptographic erasure), "Purge" (methods such as block erase, cryptographic erase or vendor secure-erase), and "Destroy" (physical shredding, disintegration, incineration). Practical technical notes: for HDDs, one or more overwrites with secure tools (e.g., shred -n 1 /dev/sdX or dd if=/dev/zero of=/dev/sdX) can be acceptable; for SSDs and NVMe, overwrites are unreliable — use vendor secure-erase tools (hdparm --security-erase for ATA devices, vendor NVMe secure erase utilities, or blkdiscard for some devices) or cryptographic erase by deleting encryption keys (e.g., destroy LUKS keyslots or remove BitLocker keys). Avoid relying on DBAN for SSDs. For mobile devices use factory reset plus cryptographic key removal; for cloud snapshots use provider-specified deletion and encryption key destruction. Always test and document the chosen method on the model in use and keep vendor guidance in your procedure.
4. Operational steps and a small-business example
Operationalize the checklist into an SOP with tickets and a simple workflow: 1) Ticket opened listing media to be disposed, 2) Data owner confirms presence of FCI/CUI, 3) Media moved to secure quarantine area, 4) Sanitization executed by IT or vendor, 5) Verification performed, 6) Certificate of Destruction or log entry created, 7) Asset marked disposed in inventory. Example: a 12-person small defense subcontractor decommissions five laptops and two backup drives. They verify all laptops use BitLocker/FileVault in production; they crypto-erase by destroying the keys (remove keys from key escrow and call cryptsetup luksKillSlot where used), then perform a factory OS re-install for reuse. For the backup drives (spinning HDDs), they use an on-site shredding vendor for physical destruction and collect CoDs, retaining them per contract. For one SSD in a legacy server, they use the vendor secure-erase utility in a controlled staging area and log the serial and method used.
5. Verification, evidence, and retention
Verification must be documented: record the device serial, method used, operator, date/time, and result. For physical destruction keep Certificates of Destruction from approved vendors and a photo or witness attestation if feasible. For cryptographic erasure, retain the procedure runbook and confirmation that key material was destroyed and a hash or inventory record showing state. Decide retention time consistent with contract and corporate records schedule and make it searchable (electronic folder with indexed records or dedicated records management). For audits, provide chain-of-custody logs, CoDs, and spot-test results.
Risks of not implementing adequate sanitization
Failure to sanitize or destroy media properly risks recovery of FCI/CUI by adversaries or insiders, leading to data breaches, loss of government contracts, financial penalties, and reputational damage. For small businesses a single lost laptop or improperly wiped backup tape can cause a breach resulting in contract suspension or recoupment. There is also increased liability if disposal vendors are not vetted — unsecured transport or lax destruction practices are a common cause of data loss.
Compliance tips and best practices
Practical tips: 1) Default to full-disk encryption in production so cryptographic erase becomes an efficient fallback, 2) Maintain an approved vendors list (shredders, ITADs) with proof-of-insurance and CoD templates, 3) Train non-IT staff on your quarantine and ticketing flow so media isn't casually discarded, 4) Use asset tags and barcodes to prevent mix-ups, 5) Periodically sample sanitized media to verify methods are effective, and 6) Bake sanitization requirements into procurement and disposal contracts. For small shops, automate as much as possible — e.g., use Mobile Device Management (MDM) to issue remote wipe and record the wipe event timestamp.
In summary, build a simple, auditable checklist that starts with inventory and classification, codifies approved sanitization methods per media type, defines roles and chain-of-custody, includes technical procedures and vendor controls, and stores verifiable evidence. Implementing these steps protects FCI/CUI, supports FAR 52.204-21 and CMMC Level 1 obligations under your Compliance Framework, and reduces the operational and contractual risks of improper media disposal.
