This post gives a hands-on, Compliance Framework–specific checklist to implement control MP.L1-B.1.VII (Tools, Verification, and Records) mapped to FAR 52.204-21 and CMMC 2.0 Level 1 media protection expectations — focused on steps a small business can take today to inventory, sanitize, verify, and document media handling and disposal for Covered Defense Information (CDI) and other sensitive contractor data.
Understanding the control and practical scope
At Level 1 the objective is basic safeguarding: ensure media that has held CDI or other controlled information is sanitized or destroyed using approved methods, that sanitization tools are appropriate and verified, and that records exist to demonstrate proper actions. For a small business operating under the Compliance Framework this means: (1) identifying all media types in scope (HDD/SSD, mobile devices, removable media, paper), (2) choosing sanitization methods consistent with NIST SP 800-88 guidance (clear, purge, destroy) or vendor SED crypto-erase, (3) using known tools or vendor services, and (4) keeping evidence (logs, Certificates of Destruction, chain-of-custody) so auditors can verify compliance.
Step-by-step checklist (actionable steps)
1) Inventory and classify media
Action: Create a media inventory registry (CSV or GRC tool) that records asset tag, serial number, device type, last known holder, purpose, and whether it has been used to store CDI. Practical tip: add a "sanitization required" flag and a unique Media ID. Example: a small IT services firm lists 24 decommissioned laptops and marks 7 as previously used for subcontractor CUI. Classification allows you to prioritize sanitization and apply stricter verification for media that contained CDI.
2) Approve and document tools and methods
Action: Build an "Approved Tools and Methods" list in your policy: free tools (SDelete for Windows secure overwrite, hdparm for ATA Secure Erase on Linux), commercial options (Blancco, KillDisk), physical destruction vendors, and instructions for SED (self-encrypting drive) crypto-erase. Include the exact command syntax you will use and the expected output to capture as evidence. Example commands: hdparm --user-master u --security-set-pass PASS /dev/sdX && hdparm --security-erase PASS /dev/sdX (Linux ATA Secure Erase), or sdelete -z \\.\PhysicalDrive0 (Windows) — test these in a lab before using in production. Record which methods map to "clear", "purge", or "destroy" per SP 800-88.
3) Execute sanitization and record verification artifacts
Action: When sanitizing, capture verification artifacts: console output, tool logs, screenshots, computed hashes (before/after forensic image where feasible), serial numbers, operator name, timestamp, and a unique job ID. For SEDs, capture the crypto-erase tool output or controller log showing the key removal. For physical destruction, obtain a Certificate of Destruction (CoD) from the vendor that includes device IDs and method (shredded/hard drive crusher batch number). Example: for a wiped drive, save a screenshot of the secure-erase completion code and the drive serial in the same screenshot; for outsourced shredding, request a CoD PDF and a signed chain-of-custody form.
4) Maintain chain-of-custody and retention records
Action: Use a simple chain-of-custody form for transferred media (who, when, why, and condition). Store all artifacts in a centralized, access-controlled records folder or GRC system (e.g., Azure Blob with RBAC or a project repository with encryption). Minimum record fields: Media ID, Device Type, Serial, Owner, Sanitization Method, Tool Name & Version, Verification Evidence (file links), Operator, Date/Time, CO/Customer Reference (if required), and CoD. Practical retention: follow contract requirements; if none specified, retain sanitization records for the length of the contract plus a conservative period (e.g., 3–5 years) to be audit-ready.
5) Sampling, audit readiness, and continuous improvement
Action: Establish a sampling verification program: randomly select a percentage (for small shops, 10–20%) of sanitized devices monthly for forensic check or re-image validation. Log findings, update approved tools if failures occur, and include corrections in your POA&M or SSP where applicable. Example: an MSP sanitizes 50 external drives yearly; it samples 10 drives for forensic imaging and confirms zero residual data; if any residuals are found, it escalates to full recall and re-sanitization and records the incident for the next contract audit.
Real-world examples and small business scenarios
Scenario A — Decommissioning laptops: A small defense subcontractor replaces six laptops. They inventory serials, perform ATA Secure Erase via hdparm on Linux for HDDs, issue secure crypto-erase commands for SED laptops, collect the console outputs, and upload evidence to their records folder. If a drive cannot be securely erased, they use an approved destruction vendor and attach the CoD. Scenario B — Outsourced backup tapes: A small company uses a tape rotation managed by a third party; when retiring tapes, they require the vendor’s CoD and include the vendor’s SOC 2 or similar attestation in procurement records.
Risks of non‑implementation and best practices
Failing to implement MP.L1-B.1.VII exposes a business to unauthorized disclosure of CDI, contract non-compliance, financial penalties, lost contracts, and reputational damage — in DoD contracting this can lead to corrective actions or removal from procurement opportunities. Best practices: (1) formalize an SOP that references NIST SP 800-88, (2) maintain an approved-tools inventory and test tools regularly, (3) train staff on chain-of-custody and sanitization steps, (4) use full-disk encryption on devices in-service (so crypto-erase is viable), and (5) require Certificates of Destruction for any outsourced media destruction with vendor proof of capability and insurance.
Summary: For Compliance Framework implementers meeting FAR 52.204-21 and CMMC 2.0 Level 1, the key is a repeatable lifecycle: inventory and classify media, use approved sanitization tools/methods (documented and tested), capture verification artifacts and chain-of-custody, retain records in a secure, searchable store, and run sampling audits to prove effectiveness — together these steps produce defensible evidence that tools, verification, and records requirements for MP.L1-B.1.VII are met.
