This post explains how to meet FAR 52.204-21 and CMMC 2.0 Level 1 control MP.L1-B.1.VII by providing a practical, actionable checklist and implementation guidance to sanitize or destroy media before reuse or disposal under the Compliance Framework.
Overview: what the requirement means for your organization
FAR 52.204-21 requires contractors handling Federal Contract Information (FCI) to protect that information when media are retired, repurposed, or disposed; CMMC 2.0 Level 1 practice MP.L1-B.1.VII codifies the same objective: do not allow recoverable FCI to leave your environment. For small businesses operating under the Compliance Framework, that means you must identify media that may contain FCI, choose and apply an appropriate sanitization method, document the process, and maintain evidence before you reuse or dispose of any device or storage medium.
Practical implementation details (Compliance Framework specifics)
Follow NIST SP 800-88 Rev. 1 guidance (Clear, Purge, Destroy) as the technical baseline referenced by many compliance programs. Under the Compliance Framework, map media types to acceptable methods: for magnetic HDDs, overwriting (Clear) with verified multi-pass or vendor-approved utilities may suffice; for SSDs and NVMe, prefer cryptographic erase or physical destruction because overwrites can be unreliable; for removable media and tapes, use degaussing (when supported) or physical destruction; for paper, use cross-cut shredding or pulping. Your Compliance Framework implementation notes should list exactly which method you will use for each media class and where the authoritative references (NIST 800-88, vendor sanitation guides) live in your policy library.
Practical checklist (step-by-step)
Use this checklist as an operational SOP to satisfy MP.L1-B.1.VII — adapt each line to your environment and record evidence for audits:
- Inventory & classification: Record asset tag, serial, media type, last user, and whether it could contain FCI.
- Determine sanitization method: Refer to NIST 800-88 mapping (Clear/Purge/Destroy) and the Compliance Framework policy for the media type.
- Prepare device: Remove batteries/SIMs/portable storage, disconnect network, and ensure power to allow secure erase operations.
- Execute sanitization: Run the approved tool or process (see technical examples below).
- Verification: Sample and test a subset with a recovery tool or check tool logs; if vendor-provided certificate exists, retain it.
- Documentation: Log operator, date/time, method, serials, and results in your disposal log; attach certificate of destruction (CoD) if using a vendor.
- Chain-of-custody & transport: Use sealed bags, tamper-evident packaging, and tracked courier for off-site destruction; retain tracking numbers.
- Retention & audit: Keep logs and CoDs per your Contracts/Compliance Framework retention schedule (commonly 3–7 years) and include sanitization in periodic audits.
Small business scenarios and examples
Example 1 — employee offboard: A staff laptop that stored FCI is being reassigned. Inventory the device, back up company data (not FCI unless authorized), encrypt the disk (if not already encrypted), then perform a cryptographic erase or factory reinstall following your SOP. Record the laptop serial, the cryptographic erase command output, and the person who performed it. Example 2 — end-of-life server: For an old on-prem server with multiple HDDs, remove disks, use a vetted secure-wipe tool for each drive (or physically destroy drives if they house backups of FCI), and get a certificate from an NAID-certified destruction vendor for physical destruction. Example 3 — backup tapes: For magnetic tape backups, either degauss with a rated degausser that meets your tape format or physically shred/pulp—and document the serial ranges processed.
Technical specifics and safe commands (with cautions)
Technical choices depend on media type. Examples (test in a non-production environment before use): for spinning disks on Linux you can use shred (e.g., shred -v -n 3 /dev/sdX) but note shredding is not reliable for SSDs. For ATA SSDs, prefer the vendor ATA Secure Erase sequence (hdparm --user-master u --security-set-pass PASS /dev/sdX; hdparm --user-master u --security-erase PASS /dev/sdX) after reading vendor docs. For NVMe, many controllers support crypto-erase via nvme format or vendor utilities (e.g., nvme format /dev/nvme0n1 --ses=1); verify vendor guidance. On Windows, tools include SDelete (Sysinternals) for file free-space wiping (sdelete -z C:) or cipher /w:C: for zeroing free space; for whole-disk scenarios use vendor utilities or disk-format tools that support secure erase. Always encrypt devices in production so a cryptographic erase becomes an acceptable purge option, and always verify results — forensics tools (used offline) can confirm no recoverable FCI remains. Important: test vendor commands on identical hardware first and maintain a rollback/restore plan—incorrect commands can destroy devices unexpectedly.
Compliance tips and best practices
Make sanitization part of the Compliance Framework baseline: include media sanitation in onboarding/offboarding checklists, asset lifecycle policies, and procurement (require full-disk encryption and vendor-sanitization documentation). Use contracts to require NAID AAA or equivalent certification from destruction vendors and demand Certificates of Destruction. Train staff handling media disposal and use tamper-evident packaging for off-site transport. Automate logging where possible (centralized CMDB updates, upload sanitization logs to an immutable storage bucket) and perform periodic spot checks using forensic tools to validate that your sanitization methods are effective.
Risk of not implementing MP.L1-B.1.VII
Failure to properly sanitize or destroy media exposes FCI to accidental disclosure, resulting in contract breaches, loss of federal contracting eligibility, potential monetary penalties, and reputational harm. A single lost laptop or improperly wiped backup tape can lead to sensitive procurement information leakage and downstream supply chain exposure. For small businesses, the cost of one data breach (incident response, lost contracts, legal fees) far exceeds the modest operational cost of a disciplined sanitization program integrated into the Compliance Framework.
In summary, meeting FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII is a practical, procedural task: classify media, select an NIST 800-88-aligned method, execute and verify sanitization, document everything, and retain proof. Implement the checklist above in your Compliance Framework SOPs, use vendor guidance and certified destruction partners where appropriate, and make sanitization an auditable, repeatable part of your asset lifecycle to reduce risk and demonstrate compliance.
