Media sanitization is a practical, auditable control you can implement quickly to satisfy FAR 52.204-21 and CMMC 2.0 Level 1 control MP.L1-B.1.VII; this post gives a ready-to-use policy template plus clear implementation steps, real-world small-business scenarios, technical options (clear/purge/destroy), verification methods, and compliance tips so you can reduce risk and demonstrate adherence to the Compliance Framework.
Regulatory context and risk
FAR 52.204-21 requires contractors to apply basic safeguarding to covered contractor information systems, and CMMC 2.0 Level 1 MP.L1-B.1.VII maps to media protection and sanitization practices that prevent unauthorized disclosure of controlled unclassified information (CUI) or other sensitive data. Not having a documented and executed media sanitization policy exposes your firm to data leakage (lost intellectual property or CUI), contract noncompliance, penalties or lost contract opportunities, and reputational harm—risks that are especially acute for small businesses that may not have the resources to remediate an incident quickly.
Policy template (ready-to-use)
Policy Title: Media Sanitization and Disposal Policy; Scope: This policy applies to all storage media owned, leased or controlled by [Company Name], including desktops, laptops, servers, removable media (USB, external HDD), SSDs, mobile devices, optical media, backup tapes, and cloud storage artifacts where local copies are retained; Policy Statement: All media containing CUI, contractor-sensitive information, or regulated data must be sanitized or destroyed prior to reuse, transfer, repair, or disposal in accordance with approved methods and documented verification; Roles and Responsibilities: Information Security Officer (ISO) approves procedures and signs off on exceptions; IT Asset Manager maintains media inventory and sanitization logs; Employees must follow offboarding and device-return procedures; Approved Methods: Use NIST-recommended categories of Clear, Purge, or Destroy—examples follow in procedures; Verification and Documentation: Sanitization events must be recorded with asset tag, method used, operator, date/time, and verification evidence; Vendors must provide a Certificate of Destruction (CoD) for outsourced destruction; Training: Annual training for personnel handling media and immediate training for staff responsible for disposals; Exceptions: Any deviation requires documented approval from the ISO and a compensating control; Review: Policy reviewed annually and after any incident.
Implementation steps (practical)
1) Inventory and classify media: Start by listing all assets in a simple spreadsheet with asset tag, owner, media type, storage location, and whether it may contain CUI. 2) Categorize sanitization needs: Mark items as CUI/sensitive or non-sensitive to determine the sanitization level. 3) Select approved methods per media type (see below). 4) Create SOP checklists: For each media type create a short SOP that an IT technician can follow and sign off—include pre-sanitization backups if required, access control during handling, and verification steps. 5) Integrate with HR and procurement: Make device return and sanitization mandatory in the employee offboarding checklist and require vendor CoDs in procurement contracts. 6) Pilot and record: Run a pilot with a small set of assets, record results, refine SOPs, then roll out company-wide. 7) Audit and retain records: Keep sanitization logs and CoDs for the contractually required retention period (or at least 3 years where practical) and be ready to present them during assessments.
Technical sanitization methods (specifics)
Follow the NIST media sanitization model: Clear (logical sanitize), Purge (physical/cryptographic purge), or Destroy (physical destruction). For magnetic HDDs, acceptable options include multiple overwrites or degaussing; ATA Secure Erase is an industry-supported purge. For SSDs and flash, prefer cryptographic erase (full-disk encryption + secure key destruction) or vendor-supplied secure erase/PSID revert/NVMe sanitize—overwriting SSDs is unreliable due to wear leveling. For mobile devices, require MDM-enforced encryption plus remote wipe and factory reset, and for hardware where data residency can’t be guaranteed, perform MDM erase and a physical wipe/inspection. For removable media and optical media, physical shredding or incineration is acceptable. For backup tapes, use degaussing (magnetic) or certified physical destruction for end-of-life. Where cloud-based VM images or object storage contain copies, remove and verify deletion and revoke associated keys or snapshots. Always capture verification: tool output, vendor CoD, or photos and operator signature.
Small-business real-world examples
Example A (two-person subcontractor): Use full-disk encryption (BitLocker or FileVault) on all laptops and document that cryptographic keys are centrally managed; at disposition, the company performs a crypto-erase by deleting keys and records the key ID; for physical destruction of an old external HDD, contract a local certified shredding vendor and obtain a CoD. Example B (growing small business with some cloud dev): Add an asset column indicating whether removable copies of CUI exist in local builds; require devs to store secrets only in the company vault and on encrypted volumes; when replacing a developer laptop, use the vendor secure erase tool (ATA Secure Erase) for the drive and a checklist signed by the IT Asset Manager before redeployment. These approaches minimize tooling cost while meeting compliance expectations.
Compliance tips and best practices
Keep the policy simple and procedural—assessors want to see repeatable steps and records, not lengthy theory. Use encryption at rest companywide: it simplifies sanitization because cryptographic erase is faster and auditable. Centralize asset inventory and integrate sanitization actions into offboarding workflows (automate with your PSA or ITSM tool if possible). Maintain a shortlist of pre-approved destruction vendors and include CoD and data handling clauses in contracts. Train staff annually and run a tabletop incident/sanitation drill. Finally, retain logs, timestamps, and CoDs in a searchable archive so you can produce evidence quickly during FAR or CMMC assessments.
Conclusion
Implementing a media sanitization policy aligned to the Compliance Framework, FAR 52.204-21, and CMMC 2.0 Level 1 MP.L1-B.1.VII is a high-impact, low-to-moderate-effort control for small businesses: inventory media, choose appropriate clear/purge/destroy methods (use cryptographic erase for modern SSDs), document every sanitization event, and integrate the process into HR and procurement. Doing so reduces the risk of data exposure, provides auditable proof for assessors, and keeps your company eligible for sensitive contracts—start with the template above, run a small pilot, and iterate toward company-wide adoption.
