Preparing for an audit against FAR 52.204-21 and the CMMC 2.0 Level 1 media protection control MP.L1-B.1.VII (Code 550) requires practical policies, concrete technical controls, and a small-business friendly set of artifacts that prove you consistently protect Federal Contract Information (FCI) on media — this post walks you through what auditors will expect, how to implement required safeguards in a Compliance Framework context, and what evidence to present.
Understanding the control and what auditors will look for
At a high level, MP.L1-B.1.VII is about safeguarding information on physical and digital media: controlling access, labeling, maintaining an inventory, and ensuring sanitization or destruction before disposal or reuse. An auditor will look for policies that assign roles and responsibilities, technical controls (e.g., encryption), operational controls (e.g., inventory and chain-of-custody), and demonstrable evidence such as screen captures, logs, certificates of destruction, and training records. In a Compliance Framework you should map this control to a single practice entry that lists required artifacts and acceptance criteria.
Implementation checklist (practical steps for small businesses)
Small businesses can implement a straightforward, repeatable program by following these steps: 1) Create a media protection policy that defines FCI, media types, labeling and handling rules; 2) Maintain an inventory of all media that stores FCI (removable drives, USBs, backup tapes, mobile devices); 3) Apply encryption to media at rest (full-disk or file-level) using FIPS-validated tools (AES-256 recommended); 4) Define and document sanitization/destruction procedures based on NIST SP 800-88 guidelines; 5) Record chain-of-custody for media transfers; 6) Train staff and record completion.
Technical controls — concrete recommendations
For technical controls, choose widely supported, auditable solutions: enable BitLocker (Windows) or FileVault (macOS) for full-disk encryption and document key escrow procedures (store recovery keys in a secure, access-controlled location such as Azure AD or a hardware security module). For removable media that must be encrypted at file-level, use container tools (e.g., 7-Zip AES-256 with strong passphrases is acceptable for some FCI, but prefer enterprise solutions that support centralized key management). Implement endpoint protections that prevent unauthorized USB usage or restrict write access using endpoint management (Intune, JAMF, or local group policy). Maintain system configuration screenshots and device inventories with serial numbers as evidence.
Evidence and artifacts to prepare for the audit
Auditors will want a concise package of evidence. Prepare: a policy document (Media Protection Policy) with version control; a media inventory spreadsheet (fields: media ID, type, owner, location, encryption status, last sanitized date); exemplar sanitize/destroy certificates (with method and date); screenshots of encryption status (e.g., output of manage-bde -status on Windows, or system preferences showing FileVault on macOS); endpoint policy configuration exports (Intune/GPO); training attendance logs and signed acknowledgments; and a control mapping matrix that links each artifact to MP.L1-B.1.VII. Put these into a labeled audit folder (digital preferred) and include a one‑page executive summary for the assessor.
Real-world small business scenarios
Example 1 — A 25-person engineering contractor: They maintain a Google Drive for project files but occasionally issue encrypted USBs for on-site work. They implemented a policy that prohibits unapproved removable media, switched to company-managed encrypted USBs (procured with hardware encryption and serial numbers), and created a simple log for check-in/check-out. Example 2 — A 10-person subcontractor working from laptops: They enabled BitLocker across all Windows laptops via Intune, automated recovery key escrow to Azure AD, and documented wipe procedures for decommissioned machines using cryptographic erase and an approved vendor destruction certificate.
Testing, validation, and audit rehearsal
Perform internal checks quarterly: verify the media inventory against physical storage, run encryption status reports (e.g., collect manage-bde -status outputs), and perform a sample sanitization test (sanitized media attempted to be read in a controlled environment to prove sanitation). Maintain logs of these tests with dates and operator names. Create a short audit playbook that describes who will present which artifacts, where they are stored, and the contact point for follow-up — auditors appreciate a predictable, repeatable presentation.
Risks of non-implementation
Failing to implement MP.L1-B.1.VII leaves FCI exposed to loss, theft, or unauthorized disclosure. Consequences include contract termination, being removed from the vendor pool, financial penalties, and reputational harm. From a technical perspective, unencrypted removable media or improper sanitization are frequent root causes of data breaches — these are easy for an auditor to detect and very difficult to explain away if not already mitigated.
Compliance tips and best practices
Keep these practical tips in your Compliance Framework playbook: automate evidence collection where possible (scripts to pull encryption reports, MDM exports), enforce least privilege for access to media inventories and key management systems, use standardized labeling (both physical & metadata tags), and retain destruction/sanitization certificates for at least the contractually required period (commonly 3–7 years depending on contract). Train staff on “what is FCI” with short, role-specific modules and keep a running Issues/Risks log with remediation dates for auditor review.
In summary, demonstrating compliance with FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII is achievable for small businesses by combining a clear policy, simple inventories, reputable encryption tools, documented sanitization/destruction, and a curated evidence package for auditors — build these artifacts into your Compliance Framework, test them regularly, and maintain a concise audit playbook so you can demonstrate readiness quickly and confidently.
