This post explains how to sanitize or destroy hard disk drives (HDDs) and solid-state drives (SSDs) to meet the media protection intent of FAR 52.204-21 and CMMC 2.0 Level 1 control MP.L1-B.1.VII, with practical, implementable steps (degauss, overwrite, crypto-erase, shredding), verification advice, and small-business examples.
Understanding the requirement and initial steps
FAR 52.204-21 requires basic safeguarding of contractor information systems and CMMC 2.0 Level 1 MP.L1-B.1.V.II (closely related) expects that media containing Controlled Unclassified Information (CUI) or contractor-sensitive data be sanitized or destroyed before reuse or disposal. Start by creating an accurate inventory: tag each device with owner, device type (HDD/SSD), capacity, whether full-disk encryption (FDE) was enabled, and the data classification. Classification determines the required sanitization strength — CUI and contractor-confidential data demand stronger methods and documented proof of destruction.
Choose the correct method by media type
Not all methods work equally for HDDs and SSDs. Key mappings: - HDDs (magnetic): Overwrite (multiple passes), degauss, or physical destruction are effective. - SSDs (flash): Overwrite can be unreliable due to wear-leveling; prefer hardware/firmware Secure Erase, NVMe/ATA sanitize commands, crypto-erase of FDE keys, or physical destruction. Document your decision matrix in your compliance policy (e.g., "All media holding CUI: SSDs — crypto-erase or physical destruction; HDDs — degauss or physical destruction; non-CUI — overwrite acceptable").
Degaussing (HDDs only)
Degaussing demagnetizes platters and is effective only for magnetic media. Use a degausser rated for the coercivity of modern high-density drives (spec sheet often lists required Oersted or Gauss). Practical tip: test the degausser with a sample drive from the same batch, verify that the device is rendered unreadable, and note that degaussed drives are permanently unusable (no verification via SMART). Maintain a degauss log with date, operator, device tag, and witness signature. For compliance, combine degaussing with a certificate of destruction or inventory disposal record.
Overwriting (HDDs and limited SSD cases)
Overwriting with zeros/ones or pseudorandom data (single pass or multiple passes) is a standard for HDDs, but modern guidance (NIST SP 800-88 Rev. 1) accepts a single-pass overwrite for many media types if verified. For SSDs, do not rely solely on overwrite due to wear-leveling and overprovisioned sectors. If you do overwrite HDDs: 1) use a trusted tool (e.g., commercial sanitization software or certified utilities), 2) log checksum verification pre- and post-wipe where possible, and 3) keep a sampling verification process. For small businesses, a standard practice is to overwrite HDDs three times and perform an independent read-check on a sample set before reuse or disposal.
Crypto-erase and firmware secure erase (best for SSDs)
Crypto-erase (crypto-shredding) is the fastest practical approach when the device uses strong full-disk encryption (FDE) or is a self-encrypting drive (SED). Properly implemented, destroying the encryption key renders data unreadable. For internal SSDs, use vendor-supplied ATA Secure Erase (hdparm), NVMe sanitize commands (nvme-cli), or SED PSID revert tools (sedutil or vendor utilities) — always follow vendor documentation and test in a lab. Example workflow: confirm FDE enabled and key escrowed per policy; to sanitize, issue secure-erase or PSID revert; verify by attempting to mount or read device; record the command output and device serial in the disposal log. If you cannot confirm FDE or the secure-erase result, escalate to physical destruction.
Physical destruction (shredding, crushing, pulverizing)
When you need absolute assurance (CUI or highly sensitive data) or when media cannot be sanitized electronically, use physical destruction. For HDDs, shredders or disintegrators are common; aim for particle sizes that prevent reconstruction (industry guidance often recommends particle size <5 mm for platters); for SSDs, fragmentation and crushing are required because SSD internals disperse chips across the PCB. Use NAID AAA-certified destruction vendors when outsourcing and obtain a certificate of destruction (CoD). For a small business disposing a few devices, consider a mobile shredding service that provides on-site destruction and CoD.
Verification, documentation, and practical small-business scenarios
Verification is the compliance linchpin. For electronic sanitization, capture command output, serial numbers, operator ID, date/time, and a short statement that the device passed verification (or failed and was destroyed). For physical destruction, get a CoD with device IDs and destruction method. Practical scenarios: - Example 1: A small engineering shop retires 10 laptops with SSDs. Policy: verify FDE active, crypto-erase via manufacturer utility, record PSID or secure-erase output, and retain CoD for devices that fail crypto-erase (sent to shredder). - Example 2: A subcontractor upgrades a file server with HDDs: perform triple-overwrite for non-CUI drives with a documented sampling plan; degauss or shred drives that held CUI; log every serial and final disposition. Train staff at least annually and make media return part of employee offboarding. Centralize media collection in a locked bin and restrict who can request sanitization or destruction.
Risk of non-compliance and best practices
Failing to sanitize or destroy media properly risks data breaches, CUI exposure, contractual penalties under FAR, suspension of contract work, reputational harm, and regulatory fines. Best practices: maintain a written media sanitization policy aligned to NIST SP 800-88, perform periodic audit sampling, use FDE on all devices in the first place (so crypto-erase is available), keep chain-of-custody and CoDs, and work with certified vendors for large-volume disposals. Implement a simple compliance checklist: Inventory → Classify → Sanitize/Destroy → Verify → Document → Retain records per contract requirements.
In summary, meeting FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII requires a practical mix of policy, technical controls, and documented verification: use degaussing or overwrite for HDDs, prefer firmware secure-erase or crypto-erase for SSDs, and rely on shredding/pulverizing when electronic methods cannot be verified — always record the process, keep proof, and train staff to reduce risk.
