Media sanitization and destruction is a deceptively simple control in the Compliance Framework: at CMMC 2.0 Level 1 (mapped to FAR 52.204-21) you must ensure that any media that previously contained Federal Contract Information (FCI) or similar sensitive information is rendered unrecoverable before reuse, transfer, or disposal — and you must be able to demonstrate that process to an assessor.
\n\nThe key objective of MP.L1-B.1.VII is to prevent unauthorized disclosure of FCI by ensuring media is sanitized or destroyed using methods that match the media type and residual risk. For assessors you will need: (1) documented policies and procedures aligned to the Compliance Framework and NIST SP 800-88 (Media Sanitization), (2) an up-to-date media inventory, (3) records of sanitization or destruction actions (logs, certificates, photos), and (4) training evidence showing staff understand and follow the process.
\n\nStart with a media inventory: list all storage types (laptops, desktops, HDDs, SSDs, USB drives, mobile phones, backup tapes, SD cards, printers/hard-drive-equipped MFPs, cloud storage). Tag items with asset IDs and track owner and location. Next, adopt a concise sanitization policy that maps each media type to an approved method (e.g., crypto-erase for encrypted SSDs, NIST-approved secure erase for ATA/NVMe devices, degauss or shredding for magnetic media, physical destruction for end-of-life SSDs where secure erase isn't feasible). Ensure the policy references the Compliance Framework and NIST SP 800-88 as the authoritative technique-selection guidance.
\n\nUse specific techniques matched to the media: 1) Magnetic HDDs: use full-disk overwrite (e.g., diskpart clean all or \"shred\" style overwrites) or degaussing followed by physical destruction; 2) SSDs/NVMe: prefer device-supported secure-erase (hdparm --security-erase for ATA, nvme sanitize/format for NVMe) or cryptographic erase if whole-disk encryption (BitLocker/FileVault) was used and keys are securely destroyed; 3) Removable flash (USB/SD): treat like SSDs — device sanitize or physical destruction; 4) Mobile devices: factory reset + verified overwrite where available, or secure erase tools from vendor, or physical destruction for devices that may hold residual data. Important technical notes: degaussers do not reliably sanitize SSDs; manufacturer secure-erase commands must be used according to device documentation; always verify the command succeeded and capture evidence (tool output, timestamps).
\n\nExample: a 15-person engineering subcontractor decommissions laptops. Workflow: (1) IT tags device and logs request in ticketing system, (2) verify whether device used to store FCI; if yes, escalate to sanitization, (3) if BitLocker/FileVault enabled, perform crypto-erase by deleting keys and recording \"manage-bde -status\" (Windows) or FileVault status (macOS) as evidence; for non-encrypted drives run certified secure-erase and capture the tool output and serial number, (4) if device cannot be sanitized due to failure, document chain-of-custody and send to an NAID-certified destruction vendor and retain certificate of destruction. Keep photos (with timestamps), vendor invoices, and ticket references for the assessor.
\n\nCompile a single evidence package that includes: the sanitization policy (with NIST SP 800-88 reference), asset inventory export, sample tickets showing completed sanitization (with serial numbers, operator, timestamp, and tool output), certificates of destruction from vendors, photos of destroyed media, and training attendance logs for staff who perform sanitization or chain-of-custody tasks. Also include vendor contracts for cloud/managed services stating how media is sanitized at provider deprovisioning and any attestations they provide.
\n\nCompliance tips and best practices: enforce full-disk encryption (BitLocker/FileVault) on all endpoints as a first-line control — crypto-erase plus key destruction often simplifies CUI sanitization; create role-based procedures so only authorized personnel perform sanitization; use automated scripts that log output to a central syslog for evidence; maintain a vendor list (e.g., NAID-certified) for physical destruction; and institute a \"decomm-first\" policy where IT must approve device disposal before any employee can remove or sell equipment.
\n\nRisks of non-implementation are concrete: accidental exposure of FCI can lead to contract noncompliance, loss of contract eligibility, corrective action or suspension, breach notification costs, regulatory fines, and reputational harm that can be catastrophic for small businesses. Technical risk includes data recovery from improperly sanitized SSDs or remnant data on printer hard drives and MFPs — these are common breach vectors post-disposal.
\n\nFor assessors focus on repeatable, demonstrable processes: the assessor wants to see written procedures tied to actual artifacts. During pre-assessment, run a mock decommission on one device and collect every piece of evidence exactly as you would for production — that mock run is often the fastest way to find gaps in your workflow and correct them before the real assessment.
\n\nIn summary, meet MP.L1-B.1.VII by documenting your sanitization policy (aligned to the Compliance Framework and NIST SP 800-88), maintaining an accurate media inventory, applying media-appropriate technical sanitization or destruction methods (with supporting tool outputs), retaining chain-of-custody and destruction records, and training staff — these practical steps give assessors clear, auditable evidence that your small business prevents unauthorized disclosure of FCI and meets FAR 52.204-21 / CMMC 2.0 Level 1 expectations.
", "plain_text": "Media sanitization and destruction is a deceptively simple control in the Compliance Framework: at CMMC 2.0 Level 1 (mapped to FAR 52.204-21) you must ensure that any media that previously contained Federal Contract Information (FCI) or similar sensitive information is rendered unrecoverable before reuse, transfer, or disposal — and you must be able to demonstrate that process to an assessor.\n\nWhat this control requires and key objectives\nThe key objective of MP.L1-B.1.VII is to prevent unauthorized disclosure of FCI by ensuring media is sanitized or destroyed using methods that match the media type and residual risk. For assessors you will need: (1) documented policies and procedures aligned to the Compliance Framework and NIST SP 800-88 (Media Sanitization), (2) an up-to-date media inventory, (3) records of sanitization or destruction actions (logs, certificates, photos), and (4) training evidence showing staff understand and follow the process.\n\nStep-by-step implementation for a small business\nStart with a media inventory: list all storage types (laptops, desktops, HDDs, SSDs, USB drives, mobile phones, backup tapes, SD cards, printers/hard-drive-equipped MFPs, cloud storage). Tag items with asset IDs and track owner and location. Next, adopt a concise sanitization policy that maps each media type to an approved method (e.g., crypto-erase for encrypted SSDs, NIST-approved secure erase for ATA/NVMe devices, degauss or shredding for magnetic media, physical destruction for end-of-life SSDs where secure erase isn't feasible). Ensure the policy references the Compliance Framework and NIST SP 800-88 as the authoritative technique-selection guidance.\n\nMedia types and recommended technical methods\nUse specific techniques matched to the media: 1) Magnetic HDDs: use full-disk overwrite (e.g., diskpart clean all or \"shred\" style overwrites) or degaussing followed by physical destruction; 2) SSDs/NVMe: prefer device-supported secure-erase (hdparm --security-erase for ATA, nvme sanitize/format for NVMe) or cryptographic erase if whole-disk encryption (BitLocker/FileVault) was used and keys are securely destroyed; 3) Removable flash (USB/SD): treat like SSDs — device sanitize or physical destruction; 4) Mobile devices: factory reset + verified overwrite where available, or secure erase tools from vendor, or physical destruction for devices that may hold residual data. Important technical notes: degaussers do not reliably sanitize SSDs; manufacturer secure-erase commands must be used according to device documentation; always verify the command succeeded and capture evidence (tool output, timestamps).\n\nPractical workflow and small-business example\nExample: a 15-person engineering subcontractor decommissions laptops. Workflow: (1) IT tags device and logs request in ticketing system, (2) verify whether device used to store FCI; if yes, escalate to sanitization, (3) if BitLocker/FileVault enabled, perform crypto-erase by deleting keys and recording \"manage-bde -status\" (Windows) or FileVault status (macOS) as evidence; for non-encrypted drives run certified secure-erase and capture the tool output and serial number, (4) if device cannot be sanitized due to failure, document chain-of-custody and send to an NAID-certified destruction vendor and retain certificate of destruction. Keep photos (with timestamps), vendor invoices, and ticket references for the assessor.\n\nEvidence to prepare for an assessor\nCompile a single evidence package that includes: the sanitization policy (with NIST SP 800-88 reference), asset inventory export, sample tickets showing completed sanitization (with serial numbers, operator, timestamp, and tool output), certificates of destruction from vendors, photos of destroyed media, and training attendance logs for staff who perform sanitization or chain-of-custody tasks. Also include vendor contracts for cloud/managed services stating how media is sanitized at provider deprovisioning and any attestations they provide.\n\nCompliance tips and best practices: enforce full-disk encryption (BitLocker/FileVault) on all endpoints as a first-line control — crypto-erase plus key destruction often simplifies CUI sanitization; create role-based procedures so only authorized personnel perform sanitization; use automated scripts that log output to a central syslog for evidence; maintain a vendor list (e.g., NAID-certified) for physical destruction; and institute a \"decomm-first\" policy where IT must approve device disposal before any employee can remove or sell equipment.\n\nRisks of non-implementation are concrete: accidental exposure of FCI can lead to contract noncompliance, loss of contract eligibility, corrective action or suspension, breach notification costs, regulatory fines, and reputational harm that can be catastrophic for small businesses. Technical risk includes data recovery from improperly sanitized SSDs or remnant data on printer hard drives and MFPs — these are common breach vectors post-disposal.\n\nFor assessors focus on repeatable, demonstrable processes: the assessor wants to see written procedures tied to actual artifacts. During pre-assessment, run a mock decommission on one device and collect every piece of evidence exactly as you would for production — that mock run is often the fastest way to find gaps in your workflow and correct them before the real assessment.\n\nIn summary, meet MP.L1-B.1.VII by documenting your sanitization policy (aligned to the Compliance Framework and NIST SP 800-88), maintaining an accurate media inventory, applying media-appropriate technical sanitization or destruction methods (with supporting tool outputs), retaining chain-of-custody and destruction records, and training staff — these practical steps give assessors clear, auditable evidence that your small business prevents unauthorized disclosure of FCI and meets FAR 52.204-21 / CMMC 2.0 Level 1 expectations." }, "metadata": { "description": "Practical, step-by-step guidance to meet FAR 52.204-21 and CMMC 2.0 Level 1 (MP.L1-B.1.VII) media sanitization and destruction requirements — policies, technical methods, evidence collection, and small-business examples.", "permalink": "/how-to-prepare-for-a-cmmc-assessment-demonstrating-far-52204-21-cmmc-20-level-1-control-mpl1-b1vii-compliance-for-media-sanitization-and-destruction.json", "categories": [], "tags": [] } }