Department of Defense Hard Drive Destruction
Controlled Unclassified Information – CUI Destruction.
Department of Defense Hard Drive Destruction Requirements
The DoD approved method for the destruction of computer hard drives and other digital media is to disintegrate, pulverize, mangle, or shred. The critical component for information destruction is to damage the hard drive enough that there is reasonable assurance that the data cannot be reconstructed.
In addition to the method of data destruction, handlers of CUI must also have Risk Assessments and Security Assessments in place. A written plan must include Access Controls, Audit & Accountability, Media Protection, Personnel Security, and Physical Protections.
Timing of Destruction
The Department of Defense requires organizations to destroy digital media containing classified information as soon as possible after making a decision. Digital media should remain locked and secure until the digital media is destroyed. 5-704 Destruction.
Method of Destruction
Digital media may be destroyed by shredding, melting, and pulverizing. 5-705 Methods of Destruction. See the shredding video.
Witness the Destruction
Access and destruction of hard drives must be by authorized and qualified personnel only. SECRET and CONFIDENTIAL material requires only one person. TOP SECRET material needs two people to be present. 5-706 Witnessed Destruction.
Personnel and Documentation
The documentation should include the date, materials, and list of authorized personnel present during the hard drive destruction process. Data destruction personnel must have personal knowledge that the material has been destroyed – Witnessed Destruction. 5-707 Destruction Records
The goal of destroying Controlled Unclassified Information (CUI) is to render the information unreadable, indecipherable, and irrecoverable.
What is NIST?
The National Institute of Standards and Technology (NIST) falls under the U.S. Department of Commerce. This organization is the authority on Information Technology subjects such as cybersecurity, communications, electronics, and artificial intelligence (AI).
What is NIST 800.88?
NIST 800.88 Guidelines for Media Sanitization. In practice, this is a guide to help organizations comply with data privacy laws by securely destroying data.
The guide details how, when, and where to destroy digital media when it is no longer needed. The processes are based on the confidentiality of the information as well as the final destination of the media.
Digital media consists of computer hard drives, solid-state drives (SSDs), USB drives, cell phones, LTO tapes, credit cards, and access cards.
Compliant hard drive and digital media destruction require specific methods, timing, personnel, and documentation. It is essential for organizations holding Controlled Unclassified Information (CUI) to follow these policies, standards, and methods during the digital media disposition process. Acceptable destruction methods to destroy digital media and Certificate of Destruction reporting.
Defense Counterintelligence and Security Agency
The DCSA requires digital media and computer hard drives to be rendered unreadable, indecipherable, and irrecoverable.
To accomplish this goal, the DCSA directs organizations holding CUI and Covered Defense Information (CDI) to consult with the following governmental organizations for more detailed guidance. NIST 800-88 Guidelines for Media Sanitization or the National Security Agency – “NSA Media Destruction Guidelines”
DEFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Security Reporting.”
This document addresses the security for Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) stored on digital media. The manual details acceptable equipment and methodology for hard drive destruction.
In addition, this document directs Defense Contractors to NIST 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.” This document focuses on compliance regarding disposing of digital media, including hard drives, SSDs, magnetic backup tapes, and CDs in their possession.