Sanitizing and destroying storage media before reuse is a concrete, often overlooked control that directly affects whether a small contractor meets FAR 52.204-21 and CMMC 2.0 Level 1 (MP.L1-B.1.VII) obligations; this post gives step-by-step, practical procedures, tools, and recordkeeping guidance so you can implement defensible sanitization and destruction for HDDs and SSDs.
Why this matters — risk and the core compliance requirement
Failure to properly sanitize or destroy media risks disclosure of Federal Contract Information (FCI) and Controlled Unclassified Information (CUI), leading to contract penalties, remediation costs, reputational damage, and failed CMMC assessments. FAR 52.204-21 requires basic safeguarding of contractor information systems and associated media; CMMC 2.0 Level 1 practice MP.L1-B.1.VII specifically requires that media be sanitized or destroyed prior to reuse. The business risk is straightforward: residual data left on retired disks can be trivially recovered by an attacker or a careless buyer.
Key objectives and implementation notes
Your implementation should satisfy three objectives: (1) render data irretrievable by technical or forensic means (Clear, Purge, Destroy per NIST SP 800-88 Rev.1), (2) document the action for audit (chain-of-custody and certificate of destruction), and (3) use cost-effective methods suitable for the device class (HDD vs SSD). For small businesses this means: maintain an asset inventory, choose standardized procedures (software secure erase, cryptographic erase, or physical destruction), record operator, method, serial number, and retain proof for your CMMC assessment and FAR compliance documentation.
Sanitization procedure — hard disk drives (HDDs)
For magnetic HDDs, NIST SP 800-88 Rev.1 classifies a single-pass overwrite with random data as an acceptable "Clear" for most modern drives; older guidance recommending multiple passes (DoD 3-pass) is generally unnecessary for today's high-density disks. Practical steps: (1) Take the drive offline and verify device serial/asset tag. (2) Use an overwrite tool that writes a random or zero pattern across the entire device (examples: Linux dd for zeros, or a purpose-built erasure product). Example command for Linux HDD overwrite: dd if=/dev/urandom of=/dev/sdX bs=1M status=progress && sync. (3) For ATA devices prefer ATA Secure Erase via hdparm because it calls the firmware to erase sectors faster and more reliably: set a temporary password then run hdparm --security-erase PASSWORD /dev/sdX (run as root and check drive freeze state first). (4) Verify success by reading a small sample of sectors: hexdump -C -n 512 /dev/sdX and confirm no residual headers. (5) Log the serial, method, operator, date/time, and verification. If you’re retiring many drives, use a certified erasure product (e.g., Blancco, Active@ KillDisk) that produces an auditable report for each device.
Sanitization procedure — solid-state drives (SSDs) and NVMe
SSDs require different handling because firmware-level wear-leveling and over-provisioned areas can hide data from overwrites. Recommended approaches: (A) Cryptographic erase — if full-disk encryption was used (e.g., BitLocker, LUKS, OPAL self-encrypting drives), securely destroy the encryption key (crypto-erase) and then optionally overwrite the device header. For LUKS, remove the keyslots or destroy the header; for Windows BitLocker, use manage-bde –protectors –delete –id
Physical destruction and verification
When sanitization is impractical or you need absolute assurance (decommissioned devices, highly sensitive data, or devices where firmware tools are unavailable), physical destruction is appropriate. HDDs: degaussing (only with an appropriate-strength degausser rated for modern drive coercivity) followed by shredding or platter destruction will render the device unreadable. SSDs: degaussing is ineffective — physical shredding to particle sizes specified by your buyer/contract (commonly <2 mm) or crushing is required. Use a certified electronics recycler with certificates of destruction; ensure the recycler provides device-serial-level CODs and allows oversight or witnessed destruction if required by contract. Keep photos, serial numbers, and the COD in your records to satisfy auditors.
Operational controls for a small business
Practical, low-cost operations reduce risk: (1) Enforce whole-disk encryption on all endpoints to make cryptographic erase an option as soon as key material can be destroyed; strong defaults simplify retire/transfer. (2) Maintain an asset register with serial numbers, responsible user, and retirement status. (3) Create a retirement workflow: quarantine device, sanitize (software/firmware), verify, record certificate of sanitization including hash of wipe report or tool output, then mark asset disposed or reused. (4) If outsourcing sanitization/destruction, require SOC 2/ISO-certified vendors and get per-device reports. Example: a 20-seat small contractor uses BitLocker+MBAM (or modern MDM) to enforce encryption, then when a laptop retires they revoke BitLocker keys in Intune and record the device serial and key revocation as evidence — followed by physical destruction if required by the contract.
Compliance tips, best practices and audit readiness
Keep these best practices in your toolkit: prefer documented, repeatable procedures and an approved tool list; validate procedures on sample media annually and log the validation results; require auditable output (signed reports or hashes) for every sanitization; maintain chain-of-custody and certificates of destruction for at least the retention period your customer or regulator requires; avoid informal "format-and-sell" disposal. For CMMC readiness, map each device retirement to MP.L1-B.1.VII: record the method (Clear/Purge/Destroy), responsible party, and evidence; during an assessment you must show consistent execution, not just a written policy.
Summary
Meeting FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII for media sanitization is achievable for small businesses with a combination of policy, technical procedures, and recordkeeping: use firmware secure-erase or single-pass overwrite for HDDs, rely on cryptographic erase or vendor secure-erase for SSDs where possible, and use certified physical destruction when necessary; instrument every step with inventorying, verification, and a certificate of destruction so you can demonstrate compliance during audits and protect your company from costly data exposure.
