Department of Defense Hard Drive Destruction

Controlled Unclassified Information – CUI Destruction.

The Department of Defense: Compliant Data Destruction

The Department of Defense (DoD) 5220.22 standard for data destruction was replaced in 2014 by NIST 800.88.  In practice, when the Department of Defense destroys digital media, it follows the NIST 800.88 Guidelines for Media Sanitization

Complying with DoD data destruction guidelines means complying with NIST 800-88.

What is NIST?

The National Institute of Standards and Technology (NIST) falls under the U.S. Department of Commerce. This organization is the authority on Information Technology subjects such as cybersecurity, communications, electronics, and artificial intelligence (AI).

What is NIST 800.88?

NIST 800.88 Guidelines for Media Sanitization. In practice, this is a guide to help organizations comply with data privacy laws by securely destroying data.

The guide details how, when, and where to destroy digital media when it is no longer needed.  The processes are based on the confidentiality of the information as well as the final destination of the media.

Digital media consists of computer hard drives, solid-state drives (SSDs), USB drives, cell phones, LTO tapes, credit cards, and access cards.

Compliant hard drive and digital media destruction require specific methods, timing, personnel, and documentation.  It is essential for organizations holding Controlled Unclassified Information (CUI) to follow these policies, standards, and methods during the digital media disposition process.  Acceptable destruction methods to destroy digital media and Certificate of Destruction reporting.

The goal of destroying Controlled Unclassified Information (CUI) is to render the information unreadable, indecipherable, and irrecoverable.

Defense Counterintelligence and Security Agency

CUI Destruction Requirements

DoD-approved methods for the destruction of computer hard drives and other digital media are to disintegrate, pulverize, mangle, or shred.  The critical component for compliance is to damage the hard drive enough that there is reasonable assurance that the data cannot be reconstructed.

Shredded hard drive torn into half
Z

Timing of Destruction

The Department of Defense requires organizations to destroy digital media containing classified information as soon as possible after making a decision.  Digital media should remain locked and secure until the digital media is destroyed. 5-704 Destruction.

Z

Method of Destruction

Digital media may be destroyed by shredding, melting, and pulverizing.  5-705 Methods of Destruction. See the shredding video.

Z

Witness the Destruction

Access and destruction of hard drives must be by authorized and qualified personnel only.  SECRET and CONFIDENTIAL material requires only one person.  TOP SECRET material needs two people to be present.  5-706 Witnessed Destruction.

Z

Personnel and Documentation

The documentation should include the date, materials, and list of authorized personnel present during the hard drive destruction process.  Data destruction personnel must have personal knowledge that the material has been destroyed  – Witnessed Destruction.  5-707 Destruction Records

NIST 800-88 data destruction

Defense Counterintelligence and Security Agency

The DCSA requires digital media and computer hard drives to be rendered unreadable, indecipherable, and irrecoverable.

To accomplish this goal, the DCSA directs organizations holding CUI and Covered Defense Information (CDI) to consult with the following governmental organizations for more detailed guidance.   NIST 800-88 Guidelines for Media Sanitization or the National Security Agency – “NSA Media Destruction Guidelines” 

DEFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Security Reporting.”

This document addresses the security for Controlled Unclassified Information (CUI) and  Covered Defense Information (CDI) stored on digital media.  The manual details acceptable equipment and methodology for hard drive destruction.

In addition, this document directs Defense Contractors to NIST 800-171, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.”  This document focuses on compliance regarding disposing of digital media, including hard drives, SSDs, magnetic backup tapes, and CDs in their possession.