Department of Defense Compliant Hard Drive Destruction

Controlled Unclassified Information Guidelines

Compliance with the Department of Defense Hard Drive Destruction Requirements

Complying with the Department of Defense  hard drive destruction regulations require specific timing, personnel, methods and documentation.  Agencies and organizations holding Controlled Unclassified Information (CUI) must follow these rules during the digital media disposition process.

DoD approved methods for the destruction of computer hard drives and other digital media are to disintegrate, pulverize, mangle or shred.  The key component for compliance is to damage the hard drive enough where there is reasonable assurance that the data cannot be reconstructed.

NSA Requirements for data destruction
NIST 800-88 data destruction

Defense Counterintelligence and Security Agency

The DCSA requires digital media and computer hard drives be rendered unreadable, indecipherable and irrecoverable.

To accomplish this goal, the DCSA directs organizations holding CUI and Covered Defense Information (CDI) to consult with the following governmental organizations for more detailed guidence.   NIST 800-88 Guidelines for Media Sanitization or the National Security Agency – “NSA Media Destruction Guidence” 

Department of Defense 5220.22 – Classified Data Destruction

Z

Timing of Destruction

Destroy digital media containing classified information as soon as possible after the decision is made.  Digital media should remain in locked and secure location until the digital media is destroyed. 5-704 Destruction

Z

Witness the Destruction

Access and destruction of hard drives must be by authorized and qualified personnel only.

SECRET and CONFIDENTIAL material requires only one person.  TOP SECRET material requires two people be present.  5-706 Witnessed Destruction.

Z

Method of Destruction

Digital media may be destroyed by shredding, melting, pulverizing.  5-705 Methods of Destruction.

Z

Personnel and Documentation

Documentation shall indicate date, materials and list of authorized personnel present during the hard drive destruction process.  Data destruction personnel must have personal knowledge that the material has been destroyed  – Witnessed Destruction.  5-707 Destruction Records

NIST COD LinkedIn Page

DEFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Security Reporting”. 

This document addresses the security for Controlled Unclassified Information (CUI) and  Covered Defense Information (CDI) stored on digital media.  The manual details acceptable equipment and methodology for hard drive destruction.

In addition, this document directs Defense Contractors to NIST 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”.  This document focuses on compliance when it comes time to dispose of digital media including hard drives, SSDs, magnetic backup tapes and CDs in their possession.