This post gives a practical, auditable process for sanitizing or destroying media that contains Federal Contract Information (FCI) so your small business can meet the basic safeguarding requirements in FAR 52.204-21 and CMMC 2.0 Level 1 control MP.L1-B.1.VII.
\n\nFAR 52.204-21 requires contractors to apply basic safeguarding to FCI handled on nonfederal systems, and CMMC 2.0 Level 1 explicitly mandates sanitization or destruction of media containing sensitive contract information. Failure to properly sanitize or destroy media risks unauthorized disclosure, contract termination, financial penalties, reputational damage, and downstream compromise of government systems through reused or resold hardware.
\n\nBegin with an inventory: record all media types in scope (laptops, desktops, SSDs/HDDs, USB drives, SD cards, external drives, backup tapes, multifunction device hard drives, removable cartridges). Classify which items contain FCI and label them in your asset register. Maintain a simple spreadsheet or asset management entry (asset ID, media type, contained data classification, location, owner, retention requirement). This inventory is the starting artifact auditors will expect to see.
\n\nUse NIST SP 800-88 Rev. 1 categories: Clear (logical techniques to make data inaccessible — e.g., secure erase), Purge (use more robust methods like cryptographic erase, degaussing, or vendor-specific secure purge), or Destroy (physical destruction/shredding). Select based on media type: HDDs can often be purged via ATA Secure Erase; SSDs require vendor sanitize commands, NVMe SANITIZE, or cryptographic erase when full-disk encryption (FDE) is used; backup tapes typically require degaussing or shredding; optical media is best physically destroyed. For cloud storage, remove copies, rotate and securely delete keys (cryptographic erase), and verify deletion through provider logs and snapshots removal.
\n\nFor on-prem drives, prefer manufacturer tools or certified wipe solutions (Blancco, WhiteCanyon) over ad-hoc dd/format because dd is unreliable for SSD wear-leveling. Examples: use hdparm --security-erase for ATA drives (after verifying security freeze/locked status), nvme format/secure-erase or nvme sanitize for NVMe devices, blkdiscard for whole-device trim on some Linux-supported SSDs (check vendor guidance). If using full disk encryption, cryptographic erase (destroy the encryption key) is acceptable if key management and proof are logged. For physical destruction, obtain a certificate of destruction from the vendor including method, date, chain-of-custody, and media identifiers (serial numbers). Capture screenshots, tool logs, and hash outputs where practical for verification.
\n\nHave a simple SOP: (1) verify media ID and owner; (2) confirm chosen method; (3) perform the action; (4) capture verification evidence; (5) mark the asset as sanitized/destroyed. Verification can be tool logs showing secure-erase completion, hashes before/after (where allowed), screenshots of vendor tool results, or a vendor-issued Certificate of Destruction (CoD). Maintain a signed chain-of-custody form when transferring media to a third-party vendor. For examples: if you ran hdparm --security-erase, keep the terminal transcript; if you cryptographically erased an encrypted disk, export the key destruction event from your key manager and include that in the record.
\n\nExample 1: A 12-person government contractor replaces laptops. Process: IT collects laptops, checks asset register, verifies which contain FCI, runs vendor secure-erase or uses a certified wipe service for SSDs, records the tool output, and obtains CoDs from the vendor for any drives sent for shredding. Example 2: A small firm with network-attached backup tapes: identify tapes holding FCI, perform degaussing with an in-house degausser (if available and validated for tape type) or contract a media destruction vendor, and log CoD and tape IDs. Example 3: A subcontractor uses cloud backups: ensure snapshots are deleted and encryption keys are rotated and destroyed; document provider console logs and change-control tickets.
\n\nCreate a short media sanitation policy that maps to FAR and CMMC requirements: include scope, acceptable methods per media type, required evidence artifacts (asset record, operator name, tool log/CoD), retention of proof (e.g., 3–6 years as your procurement/legal team advises), and vendor selection criteria (ISO 27001, NAID AAA certification where available). Train staff on identification and handling of FCI, run quarterly spot-audits of sanitized assets, and automate inventory updates in your asset management or helpdesk system to reduce human-error gaps. Vet destruction vendors for insurance and contractual protection and require COI/CoD with serial numbers.
\n\nSanitizing or destroying media that contains FCI is a straightforward, auditable process when you combine a clear inventory, media-appropriate methods (clear/purge/destroy), reliable tools or vetted vendors, and retained evidence of action. For small businesses, focus on policy, documented SOPs, and simple proofs (tool logs, CoDs, chained custody) to satisfy FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII; failing to do so risks data exposure, contract loss, and legal consequences. Implement the steps above, align your artifacts to the control, and schedule periodic reviews to keep the process working as your environment changes.
", "plain_text": "This post gives a practical, auditable process for sanitizing or destroying media that contains Federal Contract Information (FCI) so your small business can meet the basic safeguarding requirements in FAR 52.204-21 and CMMC 2.0 Level 1 control MP.L1-B.1.VII.\n\nRegulatory context and the risk of non-compliance\nFAR 52.204-21 requires contractors to apply basic safeguarding to FCI handled on nonfederal systems, and CMMC 2.0 Level 1 explicitly mandates sanitization or destruction of media containing sensitive contract information. Failure to properly sanitize or destroy media risks unauthorized disclosure, contract termination, financial penalties, reputational damage, and downstream compromise of government systems through reused or resold hardware.\n\nStep-by-step implementation: policy and preparatory work\nStep 1 — Inventory, classification, and labeling\nBegin with an inventory: record all media types in scope (laptops, desktops, SSDs/HDDs, USB drives, SD cards, external drives, backup tapes, multifunction device hard drives, removable cartridges). Classify which items contain FCI and label them in your asset register. Maintain a simple spreadsheet or asset management entry (asset ID, media type, contained data classification, location, owner, retention requirement). This inventory is the starting artifact auditors will expect to see.\n\nStep 2 — Select an appropriate sanitization method (Clear, Purge, Destroy)\nUse NIST SP 800-88 Rev. 1 categories: Clear (logical techniques to make data inaccessible — e.g., secure erase), Purge (use more robust methods like cryptographic erase, degaussing, or vendor-specific secure purge), or Destroy (physical destruction/shredding). Select based on media type: HDDs can often be purged via ATA Secure Erase; SSDs require vendor sanitize commands, NVMe SANITIZE, or cryptographic erase when full-disk encryption (FDE) is used; backup tapes typically require degaussing or shredding; optical media is best physically destroyed. For cloud storage, remove copies, rotate and securely delete keys (cryptographic erase), and verify deletion through provider logs and snapshots removal.\n\nStep 3 — Use appropriate tools and document commands or vendor certificates\nFor on-prem drives, prefer manufacturer tools or certified wipe solutions (Blancco, WhiteCanyon) over ad-hoc dd/format because dd is unreliable for SSD wear-leveling. Examples: use hdparm --security-erase for ATA drives (after verifying security freeze/locked status), nvme format/secure-erase or nvme sanitize for NVMe devices, blkdiscard for whole-device trim on some Linux-supported SSDs (check vendor guidance). If using full disk encryption, cryptographic erase (destroy the encryption key) is acceptable if key management and proof are logged. For physical destruction, obtain a certificate of destruction from the vendor including method, date, chain-of-custody, and media identifiers (serial numbers). Capture screenshots, tool logs, and hash outputs where practical for verification.\n\nPerforming sanitization and verification\nStep 4 — Execute the process with verification\nHave a simple SOP: (1) verify media ID and owner; (2) confirm chosen method; (3) perform the action; (4) capture verification evidence; (5) mark the asset as sanitized/destroyed. Verification can be tool logs showing secure-erase completion, hashes before/after (where allowed), screenshots of vendor tool results, or a vendor-issued Certificate of Destruction (CoD). Maintain a signed chain-of-custody form when transferring media to a third-party vendor. For examples: if you ran hdparm --security-erase, keep the terminal transcript; if you cryptographically erased an encrypted disk, export the key destruction event from your key manager and include that in the record.\n\nPractical small-business scenarios\nExample 1: A 12-person government contractor replaces laptops. Process: IT collects laptops, checks asset register, verifies which contain FCI, runs vendor secure-erase or uses a certified wipe service for SSDs, records the tool output, and obtains CoDs from the vendor for any drives sent for shredding. Example 2: A small firm with network-attached backup tapes: identify tapes holding FCI, perform degaussing with an in-house degausser (if available and validated for tape type) or contract a media destruction vendor, and log CoD and tape IDs. Example 3: A subcontractor uses cloud backups: ensure snapshots are deleted and encryption keys are rotated and destroyed; document provider console logs and change-control tickets.\n\nCompliance tips and best practices\nCreate a short media sanitation policy that maps to FAR and CMMC requirements: include scope, acceptable methods per media type, required evidence artifacts (asset record, operator name, tool log/CoD), retention of proof (e.g., 3–6 years as your procurement/legal team advises), and vendor selection criteria (ISO 27001, NAID AAA certification where available). Train staff on identification and handling of FCI, run quarterly spot-audits of sanitized assets, and automate inventory updates in your asset management or helpdesk system to reduce human-error gaps. Vet destruction vendors for insurance and contractual protection and require COI/CoD with serial numbers.\n\nSummary\nSanitizing or destroying media that contains FCI is a straightforward, auditable process when you combine a clear inventory, media-appropriate methods (clear/purge/destroy), reliable tools or vetted vendors, and retained evidence of action. For small businesses, focus on policy, documented SOPs, and simple proofs (tool logs, CoDs, chained custody) to satisfy FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII; failing to do so risks data exposure, contract loss, and legal consequences. Implement the steps above, align your artifacts to the control, and schedule periodic reviews to keep the process working as your environment changes." }, "metadata": { "description": "Practical, step-by-step guidance to sanitize or destroy media containing Federal Contract Information (FCI) to meet FAR 52.204-21 and CMMC 2.0 Level 1 control MP.L1-B.1.VII.", "permalink": "/how-to-sanitize-or-destroy-media-containing-fci-step-by-step-guide-to-meeting-far-52204-21-cmmc-20-level-1-control-mpl1-b1vii.json", "categories": [], "tags": [] } }