Sanitizing hard drives and removable media before reuse is a concrete, auditable control that helps small businesses meet FAR 52.204-21 and CMMC 2.0 Level 1 (control MP.L1-B.1.VII) requirements — protecting Federal Contract Information (FCI) and reducing the risk of data exposure during disposition or reuse.
Why this matters for Compliance Frameworks
Under FAR 52.204-21 and the CMMC Level 1 practice MP.L1-B.1.V.II (and MP.L1-B.1.VII mapping for media protection), organizations must safeguard information on media prior to reuse or transfer. That means you must implement technically defensible sanitization procedures, document what you did, and be able to show verification evidence during audits or contract reviews. For small businesses this is often a mix of in-house sanitization for non-sensitive devices and certified destruction for devices carrying sensitive or uncertain data.
Sanitization methods and when to use them
Use the NIST SP 800-88 Rev. 1 categories as your decision matrix: Clear (basic logical removal), Purge (stronger: crypto-erase, secure-erase, block erase), and Destroy (physical destruction). For magnetic HDDs a multi-pass overwrite or drive erase utility that writes zeros/ones is sufficient for Clear/Purge; for SSDs and flash media use vendor Secure Erase, NVMe/ATA secure erase, or crypto-erase because overwriting tools (e.g., shred) are unreliable on flash. If you cannot confidently purge a device (e.g., unknown manufacturer, damaged controller), destroy it with a certified electronics recycler and obtain a certificate of destruction.
Practical tools and command examples
Actionable toolset examples: for SATA HDDs you can use hdparm to issue ATA Secure Erase: hdparm --user-master u --security-set-pass p /dev/sdX && hdparm --security-erase p /dev/sdX. For NVMe SSDs use nvme-cli: nvme format /dev/nvme0n1 --ses=1 (or vendor-recommended option) to invoke secure erase; for SEDs use vendor PSID revert or sedutil. Avoid DBAN for SSDs — use blkdiscard for supported devices: blkdiscard /dev/sdX (instant block discard). Commercial certified erasure tools (Blancco, WhiteCanyon, Kroll Ontrack) produce audit-ready reports and are preferred when contracts require verifiable certificates.
Step-by-step sanitization procedure for a small business
1) Update asset inventory and tag media (asset ID, serial). 2) Classify the data type (FCI, CUI, public). 3) Select sanitization method (Clear/Purge/Destroy) per classification and device type. 4) Execute using the appropriate tool/command and capture logs (CLI output, tool report, operator initials). 5) Verify by sampling readback (e.g., read first and last 1 MB and confirm zeros or expected crypto-metadata removal) or by using the erasure tool's verification feature. 6) Record results in the sanitization ledger and update asset disposition. 7) If destroyed, obtain and retain a certificate of destruction from your recycler.
Records, evidence, and what to keep
Maintain a sanitization record for each device with at minimum: asset tag, serial number, device type, owner, reason for disposal/reuse, method used (e.g., ATA Secure Erase, crypto-erase, physical destruction), tool name and version, operator name, date/time, verification method and result, and storage location or vendor certificate. Store electronic copies of erasure logs and vendor certificates in a secure location tied to the contract file. Best practice: retain these records for the life of the contract plus 3 years, or follow your contract/agency retention rules.
Risk of non-implementation and compliance tips
Failure to sanitize media exposes your organization to data breaches, contract termination, monetary penalties, reputational damage, and mandatory incident reporting under FAR/CMMC-related terms. Practical tips: incorporate sanitization into your on-boarding/off-boarding and asset lifecycle policies; automate where possible (scripts that log output to a central server); train staff and require supervisor sign-off; and use third-party certified destruction for high-risk devices. For low-budget shops, combine free secure-erase commands with spot verification and retain screenshots/logs for audits.
Real-world small business scenarios
Example 1: A 10-person subcontractor rotates laptops annually. Procedure: IT tags devices, backs up user data, issues ATA secure erase for older SATA drives, and uses nvme-cli for NVMe drives. They log CLI output and save files to the contract folder. Example 2: A field team hands in several USB drives of unknown origin; the business uses a certified e-waste vendor to shred the drives and receives a certificate of destruction with serial counts and date — this satisfies auditors and avoids the risk of unreliable overwrite on flash sticks.
Summary
To meet FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII, adopt a documented, device-aware sanitization process using NIST SP 800-88 principles: choose Clear/Purge/Destroy based on device/media type and data classification, execute with appropriate tools (hdparm, nvme-cli, vendor utilities, or certified commercial erasers), verify results, and retain detailed records and certificates of destruction. Doing so reduces breach risk, creates audit evidence, and keeps your small business contract-ready.
