Sanitizing or destroying media before reuse is a concrete, auditable action that ensures Controlled Unclassified Information (CUI) and other sensitive data are not accidentally disclosed when devices leave service or are reintroduced into production; this guide gives small businesses practical, step-by-step ways to meet FAR 52.204-21 and CMMC 2.0 Level 1 Control MP.L1-B.1.V.II.
Understand the requirement and map to your environment
FAR 52.204-21 requires appropriate safeguards for contractor information systems and CMMC 2.0 Level 1 MP.L1-B.1.V.II expects media to be sanitized or destroyed before reuse. Implementation starts by classifying assets: identify media types in use (HDD, SSD, USB drives, removable flash, backup tapes, optical discs, mobile devices, paper) and determine whether they have ever stored CUI or other sensitive information. Create an asset register that includes media type, storage location, sensitivity history, and lifecycle state (active, retired, pending sanitization).
Choose the right sanitization method by media type
Not all media are equal. Follow NIST SP 800-88 Rev. 1 guidance: for magnetic drives (HDDs), logical or physical overwriting (multiple passes are acceptable) or cryptographic erasure can be used; for SSDs, overwriting is unreliable β use ATA Secure Erase, NVMe sanitize, vendor-provided secure-erase tools, or cryptographic erasure by destroying encryption keys. Tapes and some magnetic media can be degaussed or overwritten; optical media can be physically destroyed or incinerated; paper requires shredding to a government-grade particle size (cross-cut) or pulping. For mobile devices, perform a factory reset and verify encryption-based key destruction, then physically destroy if necessary.
Practical step-by-step implementation for a small business
1) Policy and SOP: Write a short SOP that mandates sanitization methods by media type, assigns responsibility (e.g., IT asset custodian), and requires documentation. 2) Pre-sanitization inventory: Log serial numbers, asset tags, and the last known data classification. 3) Method selection: Apply the media-specific method from your SOP (e.g., ATA Secure Erase for laptops, degauss or overwrite for tapes, shredding for paper). 4) Execute and verify: Record the tool used (e.g., vendor utility, hdparm --security-erase for ATA devices, nvme format --sanitize for NVMe), the operator, and verification result (screenshots, checksum changes, or hardware LEDs). 5) Certificate of Destruction: Keep a signed CoD for physically destroyed media and retain for contract/audit timelines (commonly 3β7 years depending on contract clauses).
Real-world examples and scenarios
Example 1 β Retiring a consultant laptop: The small business uses full-disk encryption (BitLocker) on all endpoints. When the consultant leaves, the IT custodian disables the user account, performs an ATA Secure Erase where supported (or performs a secure wipe with vendor tools), verifies the drive shows zeros or performs a successful secure-erase status, then reimages for reuse. If the SSD doesnβt support secure-erase, they sanitize by reimaging and then cryptographically erase the drive by destroying the encryption key, or physically destroy the drive if the device held CUI. Example 2 β Reusing backup tapes: After all data is migrated, the team degausses magnetic tapes using an approved degausser, then records the serial numbers and keeps a CoD from the vendor if outsourced.
Verification, documentation, and chain of custody
Verification is critical for auditors. Use verifiable outputs: utility logs, console output, SAN/NVMe tool return codes, or photographic evidence of physical destruction. Maintain a media sanitization log that records asset ID, owner, method, operator, date/time, verification artefacts, and destination (reuse, recycle, destruction). If using an external vendor for destruction, require a signed Certificate of Destruction, proof of business licenses, and a chain-of-custody form. Integrate these steps into your asset management and procurement records so auditors can trace any device's lifecycle.
Technical tips and caveats
β’ SSDs: Avoid multiple-pass overwrites; use ATA Secure Erase or NVMe sanitize, or rely on cryptographic erasure by destroying the key for hardware-encrypted drives. β’ HDDs: Overwrite with a verified single-pass zero-fill or use DoD-style patterns if organizationally required; verify by reading sectors post-wipe. β’ USB flash: Overwrite and verify or physically destroy if required. β’ Tapes: Degaussing and/or overwriting are acceptable; verify with read-back when possible. β’ Paper: Use cross-cut shredders rated for P-4 or better for moderate sensitivity; for CUI, consider P-5 or higher or off-site pulping. β’ Tools: Keep an approved tools list (e.g., manufacturer tools, hdparm, nvme-cli) and test them in a lab before production use. Note: DBAN is effective for HDDs, but not for many SSDs β do not use DBAN for SSD sanitization unless the vendor certifies it.
Risks of non-compliance and best practices
Failing to sanitize or destroy media can result in exposed CUI or PII, contract violations under FAR 52.204-21, loss of DoD contracts, reputational damage, and potentially reportable breaches. Best practices: enforce full-disk encryption on all endpoints (reduces risk and makes cryptographic erase feasible), maintain an up-to-date media inventory, document every sanitization action, train staff on approved tools and SOPs, and perform periodic internal audits and spot checks. For small businesses with limited staff, outsource destruction to vetted vendors but retain evidence and contractual assurances.
In summary, meeting FAR 52.204-21 / CMMC 2.0 Level 1 MP.L1-B.1.V.II is practical for small businesses: classify media, adopt media-specific sanitization methods (use secure-erase and cryptographic erase for SSDs), verify and document each action, and maintain chain-of-custody and Certificates of Destruction. These concrete steps reduce data exposure risk, create an auditable trail for assessors, and help preserve contract eligibility.
