DoD Compliant Hard Drive Destruction
To be in compliance with the Department of Defense (DoD) hard drive and digital media destruction requirements, contractors should follow strict guidance detailed in DEFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Security Reporting”. This document addresses the security for Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) stored on digital media. The manual details acceptable equipment and methodology for hard drive destruction.
DEFARS 252.204-7012 directs Defense Contractors to NIST 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”. This document focuses on compliance when it comes time to dispose of digital media including hard drives, SSDs, magnetic backup tapes and CDs in their possession.
Sanitization and Destruction Methods
NSA/CSS Storage Device Sanitization Manual 9-12 says the following hard drive destruction techniques are acceptable for DoD and NSA compliance. Devices used for destruction must be on the NSA/CSS Evaluated Products List. There basically two options for NSA/CSS hard drive destruction in California – deguass and destroy or disintegrate. Since California has banned incineration of electronics, it is not an option.
Degauss & Destroy
Most NSA contractors prefer to degauss and destroy hard drives. The advantages of deguassing and destroying hard drives over disintegration is that it is more efficient and environmentally friendly. Disintegration is required only for flash memory such as SSDs and cell phones.
Deguassing and destroying a single 3.5” server hard drive takes less than 7 seconds. Disintegrating an SSD to the 2mm requirement should take 10 minutes.
Solid state drives (SSDs) cannot be degaussed because they do not store data on magnetic media. As such, NSA/CSS requires that SSDs and other flash media be disintegrated into 2mm particles. This ensures that every chip on the flash drive is destroyed and data is not recoverable. These CDs were disintegrated with a shredder listed on the NSA Evaluated Products List.
Most organizations that fall under NIST 800-88, HIPAA and PCI data destruction require that SSDs and other flash media be shredded to .375” (9.5mm). This size shred ensures that all chips are destroyed.