Meeting FAR 52.204-21 and CMMC 2.0 Level 1 (Control MP.L1-B.1.VII) for media protection requires more than throwing old drives in a box — auditors expect repeatable processes, demonstrable sanitization techniques, chain-of-custody, and retained evidence so you can prove data is no longer recoverable.
What this Control Requires (Compliance Framework perspective)
Within the Compliance Framework, MP.L1-B.1.VII maps to the requirement to sanitize or destroy media containing Covered Defense Information (CDI) or other sensitive data before disposal or reuse. Practical implementation aligns with NIST SP 800-88 Rev.1 guidance (Clear, Purge, Destroy) and the basic safeguarding provisions of FAR 52.204-21. Your Compliance Framework documentation should define acceptable methods for each media type, required evidence, retention periods, and roles/responsibilities.
Step‑by‑Step Implementation (Actionable)
Start by inventorying all data-bearing assets in your asset register and tagging media with unique IDs. For each asset record the media type (HDD, SSD, USB, optical, backup tape), owner, last known location, and data sensitivity. Define an approved sanitization matrix in your Compliance Framework: e.g., HDDs = DoD 5220.22-M-style (or NIST purge) overwrite or degauss if magnetic; SSDs = crypto-erase or secure-erase (ATA/NVMe commands) plus verification; tapes = degauss or incinerate; paper = cross-cut shredding. For reuse of devices, require verified purge; for disposal, require physical destruction and a Certificate of Destruction.
Technical Details and Example Commands
Include precise, repeatable technical procedures in your SOPs. Example commands and checks a small IT team can use: for ATA drives use hdparm to issue secure-erase (after setting a temporary password), for example: hdparm --user-master u --security-set-pass PASS /dev/sdX && hdparm --user-master u --security-erase PASS /dev/sdX — capture command output and checksum of pre/post data if feasible. For NVMe use nvme format /dev/nvme0n1 -s 1 (crypto-erase) and retain nvme output. For encrypted devices, document crypto-key destruction procedures (e.g., key deletion on HSM or key manager) and include key IDs and deletion logs as evidence. If using tools like Blancco or Parted Magic, export tool-generated reports and hashes to your evidence store.
Sample Media Destruction Log Template (use in your Compliance Framework)
MediaDestructionID: MD-2026-001
AssetID: ASSET-12345
MediaType: SSD
Manufacturer/Model/Serial: Samsung EVO / S1ABCDEF
Owner: Finance
SanitizationMethod: NVMe crypto-erase (nvme format -s 1)
Tool/Device: nvme-cli v1.15
Operator: J. Smith
Witness: L. Perez
DateTime: 2026-03-15T14:32Z
VerificationOutput: nvme format returned success; SMART serial matches; visual photo: IMG_20260315_1435.jpg
CertificateID: COD-2026-0315-SSD
RetentionLocation: ComplianceVault/MediaLogs/2026/Q1
SignedBy: J. Smith / L. Perez
Evidence Portfolio for Auditors
Auditors expect a collection of corroborating artifacts. Provide an evidence bundle containing: the Media Destruction Log entries, exportable tool reports (Blancco/drive secure-erase logs), command-line outputs/screenshots, asset register entries showing status changes, chain-of-custody forms signed by operator and witness, photos or short video of destruction (with timestamps and serial numbers visible), Certificate of Destruction (signed by vendor if using a third-party), and a policy excerpt from your Compliance Framework referencing MP.L1-B.1.VII. Keep evidence immutable where possible (PDF signed reports, WORM storage, or hashed archives) and index items for quick retrieval.
Real‑World Small Business Scenario
Example: A 12-person engineering shop must retire five laptops and two backup tapes. Process: IT creates a batch MediaDestructionID, exports disk images (if needed for legal hold), performs ATA secure-erase on laptops while capturing hdparm output and a screen recording, performs a crypto-erase on SSDs and documents key destruction, hires an NAID AAA-certified vendor to degauss and shred tapes, collects the vendor's Certificates of Destruction, captures photos of serial numbers and shredded remnants, and updates the asset register to "Disposed" with links to all evidence. This workflow fits small-team capacity and satisfies an auditor’s expectation for verifiability and chain-of-custody.
Compliance Tips and Best Practices
1) Automate where possible — use MDM or asset management tools to flag devices due for sanitization and to record events. 2) Standardize evidence formats — prefer tool-generated, signed reports; avoid relying on ad-hoc screenshots. 3) Use third-party vendors with NAID or ADISA certification for physical destruction and retain their certificates. 4) Retain destruction records for the period required by your Compliance Framework and contract (commonly 3 years for government contracts). 5) Train operators and require a witness for each destruction event; rotate witnesses periodically to avoid collusion risks.
Risks of Not Implementing
Failing to properly sanitize or document media destruction risks data leakage of CDI or PII, contractual noncompliance with FAR 52.204-21, loss of DoD contracting opportunities, potential fines, and reputational damage. Technically, recoverable drives or tapes enable forensic recovery of sensitive information; procedurally, lack of evidence can cause an otherwise avoidable finding during audits and can require costly retroactive measures like forensic destruction and notification to affected parties.
In summary, satisfying FAR 52.204-21 and CMMC 2.0 Level 1 MP.L1-B.1.VII is a matter of combining technical sanitization aligned to NIST SP 800-88, clear Compliance Framework policies, consistent evidence collection (logs, tool reports, chain-of-custody, photos, Certificates of Destruction), and retention practices—documented in templates and rehearsed with your team or trusted vendors so auditors can verify that media is irretrievably sanitized before disposal or reuse.
