← Custodia
Practice 7 of 15·FAR 52.204-21(b)(1)(vii)·MPMedia Protection

MP.L1-b.1.vii

Sanitize or destroy media containing FCI

Before a hard drive, USB stick, phone, printer, copier, or paper folder containing FCI leaves your control, wipe it or destroy it. Don't drop the old shop PC in the dumpster or sell the leased copier without scrubbing it.

Official text

Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

FAR 52.204-21(b)(1)(vii), CMMC Level 1 v2.13 Assessment Guide

What evidence satisfies this

Any one of these, by itself, won't satisfy the practice — but showing a few of them together is what an assessor or a prime contractor expects to see:

  • A short media-disposal log: device → method (DBAN, factory reset, shredding) → date → who.
  • Receipts from a certified shredding vendor (Iron Mountain, Shred-it) for paper FCI.
  • Factory-reset checklist for departing laptops / phones before redeployment or sale.
  • Drives pulled from leased copiers / printers before return, with a photo or signed acknowledgement.
  • A locked bin for paper FCI awaiting shred.

Common ways small shops fail this

  • Old shop / office PCs going to the dumpster with drives intact.
  • Leased copier / printer returned to the vendor without wiping the internal drive (which has thousands of cached scans).
  • USB drives lost or thrown away without erasure.
  • Used laptops sold on Craigslist / eBay after a quick "format" that leaves files recoverable.
  • Paper POs and drawings going into open recycling.

How to fix it in a weekend

  1. 1Buy a $30 USB-stick wipe tool or use the built-in OS "erase and reinstall" with encryption on every device before disposal.
  2. 2Switch every device's drive to encrypted-by-default (BitLocker on Windows, FileVault on macOS) — then a wipe just throws away the key.
  3. 3Sign a shredding-service contract for paper FCI; put a locked bin in the office.
  4. 4Add a return-of-copier checklist that includes "pull drive" or "factory reset disk."
  5. 5Log every disposal: device, method, date, signed by whoever did it.

FAQ

Is a Windows "Quick Format" enough?+

No. Quick Format leaves data recoverable with free tools. Use a full overwrite (e.g. cipher /w on Windows, diskutil secureErase on macOS) or — better — keep the drive encrypted from day one and throw away the key by reinstalling.

Related references

Clause

FAR 52.204-21Basic Safeguarding of Covered Contractor Information Systems

Glossary

Federal Contract Information

Doing all 15 yourself? Use the checklist.

Custodia's free CMMC Level 1 checklist walks the same 15 requirements with a self-assessment workflow, generates your SSP and affirmation memo, and posts your SPRS score for you.

Open the checklist →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)