Department of Defense Compliant Hard Drive Destruction
Controlled Unclassified Information Guidelines
Compliance with the Department of Defense Hard Drive Destruction Requirements
Complying with the Department of Defense hard drive destruction regulations require specific timing, personnel, methods and documentation. Agencies and organizations holding Controlled Unclassified Information (CUI) must follow these rules during the digital media disposition process.
DoD approved methods for the destruction of computer hard drives and other digital media are to disintegrate, pulverize, mangle or shred. The key component for compliance is to damage the hard drive enough where there is reasonable assurance that the data cannot be reconstructed.
Defense Counterintelligence and Security Agency
The DCSA requires digital media and computer hard drives be rendered unreadable, indecipherable and irrecoverable.
To accomplish this goal, the DCSA directs organizations holding CUI and Covered Defense Information (CDI) to consult with the following governmental organizations for more detailed guidence. NIST 800-88 Guidelines for Media Sanitization or the National Security Agency – “NSA Media Destruction Guidence”
Department of Defense 5220.22 – Classified Data Destruction
Timing of Destruction
Destroy digital media containing classified information as soon as possible after the decision is made. Digital media should remain in locked and secure location until the digital media is destroyed. 5-704 Destruction
Witness the Destruction
Access and destruction of hard drives must be by authorized and qualified personnel only.
SECRET and CONFIDENTIAL material requires only one person. TOP SECRET material requires two people be present. 5-706 Witnessed Destruction.
Method of Destruction
Digital media may be destroyed by shredding, melting, pulverizing. 5-705 Methods of Destruction.
Personnel and Documentation
Documentation shall indicate date, materials and list of authorized personnel present during the hard drive destruction process. Data destruction personnel must have personal knowledge that the material has been destroyed – Witnessed Destruction. 5-707 Destruction Records
DEFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Security Reporting”.
This document addresses the security for Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) stored on digital media. The manual details acceptable equipment and methodology for hard drive destruction.
In addition, this document directs Defense Contractors to NIST 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”. This document focuses on compliance when it comes time to dispose of digital media including hard drives, SSDs, magnetic backup tapes and CDs in their possession.