Data Destruction and CMMC: How to Retire Old Drives the Right Way
When you replace an old computer, clear out a storage closet, or hand a used laptop down to a new hire, CMMC has something to say about it — and most contractors are surprised to learn it's a Level 1 requirement, not Level 2.
You'll see "media sanitization" filed under Level 2 in a lot of guides. That's wrong for the core of it. Destroying or wiping anything that held your Federal Contract Information before you get rid of it is one of the 15 Level 1 practices, full stop. It's also one of the easier ones to meet — once you know what actually counts.
What the requirement actually says
In plain English: before any device or material that held FCI leaves your control — thrown out, recycled, sold, donated, or reused by someone else — the FCI on it has to be sanitized or destroyed so it can't be recovered.
That's the whole idea. The government doesn't want your old contract data walking out the door on a drive in a recycling bin. The fuller media-handling rules — sanitizing gear before off-site repair, encrypting media, wiping after staff changes — are Level 2 additions for protecting CUI. The basic "don't let FCI leave on dead hardware" rule is Level 1.
The mistake almost everyone makes
Here's the part that trips people up: deleting files or reformatting a drive is not enough.
When you delete a file or even reformat a disk, the data usually isn't gone — it's just hidden from normal view, and it can be pulled back with freely available recovery tools. "Empty the trash" does not mean "unrecoverable." A drive is only sanitized when the data can't be retrieved even by someone trying hard with forensic tools.
So the bar isn't "I deleted it." The bar is "no one can get it back."
"Media" is more than hard drives
The other surprise is how much counts as media. It's not just the computer's hard drive. Anything that stored FCI is in scope, including:
- Desktop and laptop drives (both traditional hard drives and SSDs)
- USB flash drives and external drives
- Phones and tablets
- CDs, DVDs, and backup tapes
- Printers, copiers, and scanners — many have built-in storage that quietly keeps copies of what they processed
- Paper. Printed FCI counts too.
That printer-and-copier point catches a lot of shops. The machine you're leasing may have a hard drive inside it that's been saving every document it scanned for years. When the lease ends, that drive leaves with it.
How to do it right
The government's reference for this is NIST Special Publication 800-88, and it lays out three approaches you can match to your situation:
- Wipe it (for reuse). If you're keeping the device but handing it to someone else, use proper secure-erase software that overwrites the data — not just a delete or quick format. Build in a little caution here: SSDs, phones, and flash drives don't wipe the same way old magnetic hard drives do, so use a method made for the device you actually have.
- Purge it. A stronger erase for more sensitive cases, designed to defeat even lab-grade recovery.
- Destroy it (for disposal). If the device is going away for good, physical destruction is the simplest, surest route — shredding or crushing a drive, and cross-cut shredding paper rather than tossing it whole.
For most small shops, the easy rule of thumb is: if you're getting rid of it, destroy it; if you're reusing it, wipe it properly. Either way, don't just hit delete.
Using a disposal vendor
Plenty of contractors hand old equipment to an IT asset disposal or recycling company, and that's perfectly fine. But two things stay true: the responsibility is still yours, and you need proof.
Use a vendor that will sanitize or destroy media to a recognized standard, get that commitment in writing, and ask for a certificate of destruction. Keep a record of what equipment you handed over and when. If a drive full of FCI later turns up somewhere it shouldn't, "the recycler handled it" is not a defense — your paperwork is.
Don't skip the paperwork
This is the piece people forget. Meeting the requirement isn't only about destroying the drive — it's about being able to show you did. Keep a simple log: what was sanitized or destroyed, when, by what method, and by whom (or which vendor). That record is your evidence when you complete your self-assessment, and it's the difference between "we handle this" and "we can prove we handle this."
For how this fits within the broader Media Protection domain at Level 1, see CMMC Media Protection: Handling Contract Information the Right Way.
The bottom line
Retiring old drives the right way is a Level 1 requirement, and it isn't technically hard. The traps are believing that "delete" makes data gone, forgetting that phones, copiers, and paper count too, and skipping the records.
Destroy or properly wipe anything that held FCI before it leaves your hands, lean on a reputable vendor if that's easier, and keep a short log of what you did. That's the whole requirement.
Sorting out which of the 15 Level 1 practices you already meet — and which need a quick fix like this one — is far simpler when they're laid out plainly, one question at a time.
See exactly where you stand on CMMC Level 1.
CMMCheck walks you through every Level 1 requirement as plain-English yes / no / not-sure questions — no consultant, no jargon — and hands you a clear report showing what's done and what's left.
→ Start your Level 1 self-assessment at cmmcheck.com