Securing and disposing of electronic and physical media is a core expectation under FAR 52.204-21 and CMMC 2.0 Level 1 (MP.L1-B.1.VII); this guide provides a practical, risk-based approach to choosing onsite versus offsite media destruction and includes step-by-step actions, technical details, and small-business scenarios to help you implement a defensible program.
Risk-based decision framework: classify, quantify, and choose
Begin by classifying media by sensitivity (e.g., Contractor Controlled Unclassified Information (CUI) vs. non-sensitive operational data), volume (single device vs. truckload of assets), and exposure risk (are assets stored in a locked room or in shared public areas?). Map those classifications to your threat model — consider insider risk, transport risk, and vendor maturity. For most small businesses, a simple decision matrix works: low sensitivity + low volume = offsite acceptable with vetted vendor; high sensitivity or high insider risk = prefer onsite destruction or full-disk encryption + witnessed offsite destruction.
Technical sanitization options and when to use them
Follow NIST SP 800-88 Rev. 1 guidance for media sanitization: Clearing (e.g., ATA Secure Erase, one-pass zeroing) is acceptable for reusable media within a controlled environment; Purging (degaussing for magnetic media) and Destruction (shredding, crushing) are required when media leaves controlled environments or contains CUI that cannot be reliably cleared. Important technical notes: SSDs often require vendor-specific secure erase or cryptographic erase — overwriting may be ineffective due to wear-leveling; if encryption is used, ensure full disk encryption with key destruction documented as a sanitization method. For paper, use cross-cut or micro-cut shredders meeting P-4/P-5 standards (1/4" x 1" or smaller) for sensitive Government-related info.
Onsite destruction: controls, equipment, and small-business scenarios
Onsite destruction reduces transport risk and is practical when volumes are modest or sensitivity is high. For small businesses: purchase or rent a heavy-duty crosscut shredder for paper, a dedicated SSD/HDD crusher or degausser for magnetic media, and maintain a locked destruction area with CCTV and two-person verification for CUI disposal. Example: a 20-person defense subcontractor with monthly shredding needs might invest in a 20-sheet crosscut microcut unit (~$600–$1,200) and a manual drive crusher (~$1,200), implement a chain-of-custody log, and require two authorized staff to witness each destruction event and sign the log.
Offsite destruction: vendor selection, contracts, and transport security
Offsite vendors scale well for large volumes and periodic purges. Key vendor requirements: NAID AAA certification (or equivalent), SOC 2 Type II or ISO 27001 for logistics and handling, written Certificate of Destruction (CoD) with serial numbers or asset tag ranges, bonded and insured transportation, GPS-tracked containers, and right-to-audit clauses in contracts. Small-business example: if your company trades out 50 drives annually, use a NAID-certified vendor with locked, tamper-evident containers, require CoDs within 72 hours, and maintain digital copies tied to asset inventory records for audits under FAR 52.204-21.
Implementation steps and operational controls
1) Maintain inventory: tag assets (asset tag or serial) and record media type, owner, and last known location. 2) Policy & SOP: document retention periods, sanitization methods per media type, witness requirements, and approval workflows. 3) Training: provide annual training on chain-of-custody, labeling, and destruction verification. 4) Chain-of-custody: use printed and digital forms capturing time, personnel, witness, method, and CoD. 5) Audit and testing: quarterly spot checks (e.g., attempt data recovery from recently sanitized devices) and annual vendor audits. These controls produce evidence for FAR/CMMC assessors and reduce risk of noncompliance.
Risks of not implementing: compliance, financial, and operational impacts
Failing to properly sanitize and dispose of media risks unauthorized disclosure of CUI, breaches that trigger incident reporting under FAR 52.204-21, contract termination, monetary penalties, lost future contracts, and reputational damage. Operationally, inadequate destruction increases insider threat vectors and supply chain risk (stolen drives resold online). Example: a small subcontractor who sold decommissioned drives without sanitization could inadvertently leak design documents and face breach notifications, loss of DoD work, and costly remediation.
Compliance tips and best practices
Align your policy to NIST SP 800-88 and cite FAR 52.204-21 / CMMC MP.L1-B.1.VII in procedures. Use defense-in-depth: encrypt data at rest (FIPS-validated crypto where required), document key destruction events, and prefer physical destruction for high-risk or unknown-status devices. Maintain retention of CoDs and chain-of-custody records for the contractually required period (commonly three to seven years depending on contract terms). Implement background checks for employees handling media and include right-to-audit clauses and indemnity in vendor contracts.
In summary, decide onsite vs offsite destruction by mapping media sensitivity, volume, and risk tolerance into a simple matrix, then implement the appropriate technical sanitization method, documentation, and vendor controls to meet FAR 52.204-21 and CMMC 2.0 Level 1 expectations; for small businesses, a mix of low-cost onsite tools, strong inventory and SOPs, and vetted offsite partners provides a practical, compliant, and auditable approach.
