This guide explains, in practical terms, how a small business can implement chain-of-custody and reuse verification controls for media containing Federal Contract Information (FCI) to meet FAR 52.204‑21 and CMMC 2.0 Level 1 control MP.L1‑B.1.VII, with step‑by‑step procedures, sample artifacts, technical verification tips, and real‑world examples you can adopt within a Compliance Framework program.
What this control requires (high level)
The control requires that any physical or digital media that stores FCI be tracked while in possession of the organization, have documented custody transfers, and be verified as appropriately sanitized before reuse or disposal. For Compliance Framework implementation you should treat this as three integrated capabilities: (1) inventory & labeling/classification, (2) documented chain‑of‑custody (CoC) with tamper‑evident handling, and (3) verified sanitization or destruction with audit evidence that the media no longer contains FCI. This aligns with FAR 52.204‑21 obligations (protecting FCI) and the CMMC L1 practice MP.L1‑B.1.VII.
Step‑by‑step implementation
Inventory, labeling and classification
Start by creating a media inventory within your Compliance Framework asset register (spreadsheet, CMDB, or asset management tool). Assign each item a unique Media ID and record type (USB, external HDD, laptop SSD, CD, paper) plus serial number, owner, contract reference, and classification "FCI". Physically label items with barcode or tamper‑evident UID stickers (example: M‑FCI‑00045). For small businesses on a budget, a barcode sheet and a Google Sheet + smartphone barcode scanner works; larger shops should integrate with an asset management system (GLPI, Snipe‑IT). Maintain metadata: acquisition date, last use, location, and contract it supports.
Documented chain‑of‑custody process
Define a CoC form (paper or digital) that travels with the media: Media ID, date/time, from/to, reason for transfer, condition, signatures (or digital equivalent), and return/disposition ETA. Digitize CoC with E‑sign or mobile capture for field transfers. Require dual custody for sensitive transfers (two people sign). Log every custody event in your compliance repository and generate an audit trail (timestamped). Include a cryptographic fingerprint (SHA‑256) of the device image or files at receipt to help detect tampering. Example field set: {MediaID, Serial, ReceivedBy, SentBy, Location, SHA256_before, Purpose, ExpectedReturn, SignedBy}. Retain logs per contract; common practice is 3 years unless contract states otherwise.
Sanitization and reuse verification — technical details
Create a sanitization policy that references NIST SP 800‑88 Rev. 1 (Clear, Purge, Destroy). Map media types to methods: for SSDs use ATA Secure Erase or cryptographic erase; for HDDs use secure overwrite (single or multi‑pass per policy) or Degauss + destruction; for removable USB drives use full overwrite and verification; for media with hardware encryption prefer cryptographic erase by key destruction. Practical commands/tools (examples): compute a raw device fingerprint: dd if=/dev/sdX bs=1M | sha256sum; ATA secure erase: use hdparm to set a password then --security-erase (ensure drive supports it); Windows file wipe: Sysinternals SDelete; for verified commercial solutions use Blancco (certified) or WhiteCanyon. After sanitization, validate by reading the first N blocks: hexdump -n 4096 /dev/sdX to confirm zeros, or run forensic carve with bulk_extractor to ensure no residual FCI. Record verification results on the CoC form and generate a Certificate of Sanitization/Destruction that is signed and stored with the media record.
Small‑business real‑world scenarios
Scenario 1 — A 12‑employee engineering firm receives an external contractor USB drive containing FCI. Process: quarantine the drive, log MediaID M‑FCI‑012, compute SHA‑256 hash and record on CoC, transfer to IT for file extraction to a locked repository, then sanitize the USB with a full overwrite (dd if=/dev/zero of=/dev/sdY bs=1M; sync) and verify zeros: hexdump -n 4096 /dev/sdY. Attach the sanitization certificate to the CoC. Scenario 2 — A developer returns a company laptop: IT images the drive, stores the image encrypted, performs ATA Secure Erase (or crypto‑erase by rekeying BitLocker and wiping keys), verifies the erase, and then re‑image for reuse. These steps are implementable with low cost (open tools + standard operating procedures) and documented CoC spreadsheets.
Risks of non‑implementation and compliance tips
Failing to implement CoC and reuse verification risks unauthorized disclosure of FCI, contract termination, debarment from government contracting, financial penalties, and reputational harm. From a technical standpoint, residual data on reused drives can be recovered by adversaries; SSDs in particular can retain remnant data if not properly crypto‑erased. Compliance tips: (1) map media flows in your organization and integrate CoC steps into procurement and return workflows; (2) train staff in CoC handling and incident reporting; (3) perform periodic audits and sample forensic checks of sanitized media; (4) prefer cryptographic solutions where feasible because crypto‑erase is fast and verifiable; (5) maintain a certificate trail (CoC forms + sanitization certificates) that an auditor can review.
Practical controls, artifacts and checklist
Implement these artifacts: Media Inventory (CSV/CMDB), Chain‑of‑Custody form (digital & printable), Sanitization SOP (by media type referencing NIST 800‑88), Verification Report template (hashes, verification steps, tool versions), and Certificate of Destruction. Operational checklist example for every media disposition: (1) Log MediaID and compute pre‑sanitization hash; (2) Transfer to IT and record CoC; (3) Perform sanitization method (tool + parameters); (4) Run verification routine and capture evidence (screenshots, hashes, logs); (5) File Certificate of Sanitization and update inventory disposition. Automate what you can—barcode scans, hash computation, and PDF certificate generation reduce human error.
Summary: Implementing MP.L1‑B.1.VII is practical for small businesses when you formalize inventory, enforce chain‑of‑custody steps, standardize sanitization methods (NIST SP 800‑88), and capture verification evidence. Use cost‑effective tools and simple asset management to maintain traceability, and build audit evidence (CoC forms + sanitization certificates) to demonstrate compliance under FAR 52.204‑21 and CMMC 2.0 Level 1. With these controls in place you reduce the risk of FCI exposure and position your organization to pass audits or contract reviews.
