CMMC Media Protection: Handling Contract Information the Right Way

CMMCheck

CMMCheck

4 min read
CMMC Media Protection: Handling Contract Information the Right Way

In CMMC terminology, "media" means anything that stores information. Hard drives, USB sticks, CDs, backup tapes—and yes, paper. If it holds data, it's media.

For CMMC Level 1, the Media Protection domain has just one requirement. But it's an important one that many small businesses overlook: when you're done with media containing contract information, you need to destroy it properly. Not toss it in the trash. Not drop it off at the recycling center. Properly sanitize or destroy it so the information can't be recovered.

This guide explains what that means and how to do it right.

MP.L1-3.8.3: Sanitize Media Before Disposal or Reuse

Plain English: When you're done with contract information, destroy it so no one can recover it.

Deleting a file doesn't actually remove it from a hard drive—it just marks the space as available. Anyone with basic recovery software can get "deleted" files back. The same goes for formatting a drive. And paper in a trash can? That's not destroyed at all.

This requirement says that before you dispose of, recycle, or repurpose any media that contained Federal Contract Information, you need to make sure that information is truly gone.

What This Applies To

Paper documents. Contract specs, printed emails, notes from meetings—any paper with FCI needs to be shredded, not just thrown away. A determined attacker will go through trash. It's called dumpster diving, and it works.

Hard drives being disposed or recycled. When old computers leave your building, the drives need to be wiped using proper tools or physically destroyed. A quick format isn't enough.

USB drives. Those thumb drives accumulate in desk drawers. Before you throw one away or give it to someone, the data needs to be properly wiped—or the drive destroyed.

Old computers and laptops. Even if you're donating equipment to charity or recycling it responsibly, the drives need to be sanitized first. Your good intentions don't protect FCI from whoever ends up with that machine.

Copier and printer hard drives. This is the one everyone forgets. Modern copiers and multifunction printers have hard drives that store copies of everything scanned, printed, or copied. When you return a leased copier or dispose of an old one, that drive contains a treasure trove of your documents. Make sure it's wiped or removed.

What This Looks Like in Practice

A shredder in the office. Not a ribbon-cut shredder that produces strips someone could reassemble—a cross-cut shredder that turns paper into confetti. Place it somewhere convenient so employees actually use it.

Hard drive destruction or professional wiping. For electronics, you have two choices: wipe the drives using DoD-approved methods, or physically destroy them. Many small businesses find it easier to destroy—a drill through a hard drive platter is cheap and definitive. For larger volumes, e-waste companies offer certified destruction.

A policy for disposing of old equipment. Before any device leaves your building, someone should verify the data has been handled. This doesn't need to be complicated—a checklist and a signature work fine.

Copier and printer procedures. When leases end or equipment is replaced, the hard drives need attention. Ask your copier vendor about their data security procedures. Many offer drive wiping or removal as part of their service—but you have to ask.

Evidence You'll Need

To demonstrate compliance:

  • A documented media sanitization and disposal policy
  • Destruction certificates from e-waste vendors or IT disposal companies
  • Logs showing what was destroyed and when
  • Records of copier/printer hard drive handling

Don't Forget These

Some media types slip through the cracks because they're easy to overlook. Make sure your disposal procedures account for:

Old backup tapes. If you've been in business for a while, you might have boxes of old backup tapes sitting in a closet. Those tapes contain everything that was on your systems when they were made—potentially years of FCI. They need proper destruction.

Copiers and multifunction printers. Worth repeating because it's so commonly missed. That copier in the corner has scanned every document your office has handled. When it leaves, the data should leave too—wiped or removed.

Mobile devices. Phones and tablets that accessed work email or files contain FCI. Before they're traded in, sold, recycled, or handed down to a family member, they need a factory reset at minimum. For higher sensitivity, use the device's secure erase function.

Cloud storage. Can you truly delete files from your cloud services? Most providers don't immediately destroy data—it may persist in backups or disaster recovery systems. Understand your cloud provider's data retention and deletion policies. You may not be able to "sanitize" cloud storage the way you can a physical drive, but you should know what happens when you delete.

Paper in recycling bins. That open recycling bin by the printer is convenient, but it's also unsecured. Anyone walking by can grab documents out of it. Either shred before recycling or use secure bins that lock.

Practical Tips for Small Businesses

You don't need an elaborate program to handle media disposal properly. Here's a practical approach:

Buy a cross-cut shredder. A decent one costs $50-100 and will last years. Put it near the printer where paper accumulates. Make it easy for employees to shred instead of trash.

Use a certified e-waste company for electronics. Look for companies that provide certificates of destruction. Many will come to your location, pick up old equipment, and provide documentation of proper disposal. The cost is usually modest, and you get peace of mind plus evidence for compliance.

Get destruction certificates. Whenever a vendor destroys media for you, get it in writing. A certificate of destruction should list what was destroyed, the method used, and the date. Keep these records—they're your evidence.

Document everything. Keep a simple log of media disposal. Date, description of what was disposed, method, and who handled it. A spreadsheet works fine. The goal is being able to answer the question: "What happened to that old server?" months or years later.

Assess Your Media Protection Compliance

Media disposal seems simple, but the details matter. Do you have procedures for every type of media in your environment? Are employees actually following them? Can you prove it?

CMMCheck helps you think through these scenarios with targeted questions about your disposal practices. You'll quickly identify whether you have gaps—and what to do about them.

Ready to verify your CMMC Level 1 compliance? Try CMMCheck and walk through each requirement in plain English.

This article is part of CMMCheck's Plain English CMMC Level 1 Guide, a complete resource for small businesses navigating DoD cybersecurity requirements.

Read more