Examining DoD-level secure erasure guidelines

We hear a lot about DoD-level secure erasure guidelines. Are there multiple levels? Does it simply mean overwrite existing data three times with random data? Where is the standard documented, and where can I get more information on the standard? Is secure erasure a doable procedure?

When addressing DoD-level secure erasure, some products claim to remove data according to the DoD 5220.22-M standard, referring to the U.S. Department of Defense’s National Industrial Security Program Operating Manual, DoD 5220.22-M.

The manual addresses how to prevent unauthorized disclosure of classified information, covering data clearing and sanitization in two short paragraphs. The guide, however, doesn’t actually specify any particular method for achieving secure erasure, so in no way is the manual a standard.

The guide, however, does say that “instructions on clearing, sanitization and release of IS media shall be issued by the accrediting CSA.” Standards for sanitization are left up to the Cognizant Security Agency, which can be the Department of Defense (DoD), the Department of Energy (DOE), the Natural Resources Commission (NRC) and the Central Intelligence Agency (CIA).

The DOE, for one, has issued Media Clearing, Purging and Destruction Guidance as part of the Cyber Security Program. A more practical document is the DoD’s Clearing and Sanitization Matrix from the Defense Security Service.

This guide, in particular, does specify methods and procedures for destroying classified media and equipment. I would also recommend the NIST Special Publication 800-88, Guidelines for Media Sanitization. Its recommendations can be applied to all types of organizations and will help you devise an appropriate erasure policy based on the level of your information’s confidentiality.

So what level of erasure should you set for your confidential data? When vendors state that their products meet the “DoD 5220.22-M standard,” it generally means that the tool will write to all addressable hard drive locations with a character, its complement, then a random character, followed by verification. The procedure is completed three times and prevents data from being recovered by commercially available processes.

Interestingly in the fall of 2004, the U.S. National Security Agency (NSA Advisory LAA-006-2004) found that a single overwrite using the above process is sufficient to render electronic files unrecoverable. One problem with software disk-wiping is that it cannot sanitize disconnected or forgotten internal hard drives, or hard drives that have actually physically failed.

Therefore if your drives are not required again, you could look at destroying them by degaussing, melting, incineration, crushing or shredding. Physical destruction offers the highest level of erasure, but even this tactic is not necessary absolute, especially if any remaining disk pieces are larger than a single 512-byte record block.

Whichever method you chose, either software wiping or physical destruction, you must put policies in place that govern hard drive disposal. Also, employee training should ensure that you have taken “reasonable measures” to safeguard your data.

The FTC’s Fair and Accurate Credit Transactions Act (FACTA) rule governs the proper storage and disposal of certain consumer information and requires that such information is properly disposed of. Although physically destroying disks is more costly than wiping them, the potential costs associated with compromised data may make it the best option.

National Cyber Security Division Nov 28 2007

Cyber Security Response to Physical Security Breaches ( download Paper)

UNCLASSIFIED / FOR OFFICIAL USE ONLY Information contained in this document is designated by the Department of Defense (DoD) as For Official Use Only (FOUO) and may not be released to anyone without the prior permission of NHQ CAP and/or CAP-USAF.

LINKS OR REFERENCES TO INDIVIDUALS OR COMPANIES DOES NOT CONSTITUTE AN ENDORSEMENT OF ANY PRODUCT OR SERVICE YOU MAY RECEIVE FROM SUCH SOURCES.