Requirement
FAR 52.204-21 / CMMC 2.0 Level 1 - Control - MP.L1-B.1.VII – Sanitize or destroy information system media containing controlled unclassified information before disposal or release for reuse.
Understanding the Requirement
This control requires that any media—digital or physical—that contains Controlled Unclassified Information (CUI) must be rendered unreadable before it is discarded or returned to circulation. Under the FAR 52.204-21 / CMMC 2.0 Level 1 framework, the goal is to prevent unauthorized recovery of sensitive data by either sanitizing media for reuse or physically destroying it prior to disposal, covering hard drives, USBs, backup tapes, paperwork, microfilm, and similar media.
Technical Implementation
-
Inventory and classify media: Maintain a simple asset register for all removable and end-of-life storage (laptops, desktops, USBs, backup tapes, removable drives, and paper storage). Tag items that may contain CUI so they follow the sanitization/destruction workflow.
-
Sanitization for reuse: Before repurposing a drive, run a verified data-wiping tool that implements the DoD 5220.22-M method (or an accepted equivalent). Use reputable tools (for example, DBAN or commercially supported alternatives) and keep a log showing the media serial/asset tag, date, tool used, operator, and verification result.
-
Physical destruction for disposal: For any media not intended for reuse, use physical destruction. For hard drives and SSDs, options include shredding, crushing, or degaussing (for applicable media). Use an in-house approved crusher or a certified third-party destruction vendor and retain a certificate of destruction for records.
-
Paper and non-digital media: Shred paper containing CUI with a cross-cut shredder producing 1 mm x 5 mm particles or smaller. For large volumes, use a bonded destruction service that provides a chain-of-custody and certificate of destruction.
-
Chain-of-custody and documentation: Create simple forms or electronic records capturing who handled the media, when it was sanitized or destroyed, method used, and the disposal vendor or tool output. Keep records for contract or audit retention periods required by your contracts or policy.
-
Roles, training, and verification: Assign responsibilities (media sanitization owner, IT admin, facilities) and train staff on the process. Periodically verify a sample of sanitized media to ensure wipes are effective and that certificates from vendors are genuine.
Example in a Small or Medium Business
At a small engineering firm, the IT manager maintains an asset register of laptops, backup tapes, and USB drives. When an engineer retires a laptop, the device is tagged and moved to the IT operations area; if the company plans to reuse the drive, the IT manager runs a DoD 5220.22-M style wipe using a verified wiping tool and records the operation in the asset register along with the operator name and timestamp. If the drive is beyond reuse, the firm uses a local certified destruction vendor that crushes drives and provides a certificate of destruction; the IT manager files that certificate with the asset record. Paper containing CUI—design documents and client lists—is collected in secured bins and run through the office’s cross-cut shredder that produces sub-5 mm particles; high-volume paper is sent weekly to a bonded destruction service. The firm periodically audits the disposal log and tests a few sanitized drives to confirm no recoverable data remains. Employees with media-handling responsibilities receive quarterly reminders and a short checklist to follow before disposal, ensuring consistent application of the policy across the company.
Summary
By combining clear policy (inventory, roles, and retention of destruction evidence) with technical measures (verified DoD-style wipes for reuse and physical destruction or approved shredding for disposal), SMBs can ensure CUI on media is not recoverable after disposal or reuse. Documentation, periodic verification, and simple staff training complete an auditable process that meets the intent of the control while remaining practical and affordable for small and medium organizations.
