Department of Defense Hard Drive Destruction

Controlled Unclassified Information – CUI Destruction.

Computer Hard Drive Destruction

The Department of Defense (DoD) approved methods for the physical destruction of computer hard drives are pulverizing, mangling, crushing, or shredding.

The destruction of DoD Controlled Unclassified Information (CUI) information requires strict adherence to regulations and standards to protect sensitive data. The DoD requirements for destroying sensitive information typically involve compliance with various directives and guidelines, including Access Controls,  Audit & Accountability,  Media Protection,  Personnel Security, and Physical Protections.

NSA Defense Counterintelligence Agency

Procedures for Compliance

Z

Follow Approved Destruction Methods

Employ recognized techniques for data destruction, such as shredding, degaussing, or cryptographic erasure, depending on the type of media and classification level of the information.

Z

Maintain Classification Levels

Implement procedures proper for the sensitivity level of the information being destroyed, whether it’s classified or unclassified but sensitive.

Z

Inventory and Documentation

Keep detailed records of the destruction process, including dates, methods used, and verification steps, to demonstrate compliance with regulations and contractual requirements.

E-Waste Security secure hard drive cage
Z

Verification of Destruction

Perform verification procedures to confirm that data has been effectively destroyed and cannot be recovered through forensic or other means.  Access and destruction of hard drives must be by authorized and qualified personnel only.  SECRET and CONFIDENTIAL material requires only one person.  TOP SECRET material needs two people to be present.  5-706 Witnessed Destruction.

Z

Certified Vendors

Engage certified data destruction vendors who adhere to relevant standards and possess necessary certifications, such as NAID AAA Certification, to ensure the secure handling and disposal of sensitive information.

The DoD requirements for destroying sensitive information typically involve compliance with various directives and guidelines, including:

  1. DoD 5220.22-M (“National Industrial Security Program Operating Manual” or NISPOM): This manual provides guidance for the protection of classified information in the hands of industry. It outlines specific procedures for the destruction of classified material, including data sanitization techniques.
  2. National Institute of Standards and Technology (NIST) Special Publication 800-88: NIST SP 800-88 provides guidelines for media sanitization, including the secure destruction of digital media. It offers recommendations on methods such as physical destruction, degaussing, and overwriting to ensure data cannot be recovered.
  3. Defense Security Service (DSS) Requirements: DSS, now known as the Defense Counterintelligence and Security Agency (DCSA), imposes specific requirements for the destruction of classified information held by contractors. These requirements may include the use of approved destruction facilities and methods.
  4. Compliance with DoD Contracts: Organizations handling DoD information must comply with contractual obligations related to data destruction. These contracts often specify the standards and procedures for destroying sensitive data, including verification and documentation of destruction activities.

The goal of destroying Controlled Unclassified Information (CUI) is to render the information unreadable, indecipherable, and irrecoverable.

Defense Counterintelligence and Security Agency DCSA

NIST 800-88 data destruction

Defense Counterintelligence and Security Agency

The DCSA requires digital media and computer hard drives to be rendered unreadable, indecipherable, and irrecoverable.

To accomplish this goal, the DCSA directs organizations holding CUI and Covered Defense Information (CDI) to consult with the following governmental organizations for more detailed guidance.   NIST 800-88 Guidelines for Media Sanitization or the National Security Agency – “NSA Media Destruction Guidelines” 

DEFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Security Reporting.”

This document addresses the security for Controlled Unclassified Information (CUI) and  Covered Defense Information (CDI) stored on digital media.  The manual details acceptable equipment and methodology for hard drive destruction.

In addition, this document directs Defense Contractors to NIST 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”  This document focuses on compliance regarding disposing of digital media, including hard drives, SSDs, magnetic backup tapes, and CDs in their possession.