Department of Defense Hard Drive Destruction Compliance
Complying with the Department of Defense hard drive destruction regulations require specific methods, timing, personnel and documentation. It is important for organizations holding Controlled Unclassified Information (CUI) must follow these policies, standards and methods during the digital media disposition process.
The goal of destroying Controlled Unclassified Information (CUI) is to render the information unreadable, indecipherable, and irrecoverable.
CUI Destruction Requirements
DoD approved methods for the destruction of computer hard drives and other digital media are to disintegrate, pulverize, mangle or shred. The key component for compliance is to damage the hard drive enough where there is reasonable assurance that the data cannot be reconstructed.
Timing of Destruction
The Department of Defense requires organizations destroy digital media containing classified information as soon as possible after the decision is made. Digital media should remain in locked and secure location until the digital media is destroyed. 5-704 Destruction
Method of Destruction
Digital media may be destroyed by shredding, melting, pulverizing. 5-705 Methods of Destruction. see shredding video.
Witness the Destruction
Access and destruction of hard drives must be by authorized and qualified personnel only. SECRET and CONFIDENTIAL material requires only one person. TOP SECRET material requires two people be present. 5-706 Witnessed Destruction.
Personnel and Documentation
Documentation shall indicate date, materials and list of authorized personnel present during the hard drive destruction process. Data destruction personnel must have personal knowledge that the material has been destroyed – Witnessed Destruction. 5-707 Destruction Records
Defense Counterintelligence and Security Agency
The DCSA requires digital media and computer hard drives be rendered unreadable, indecipherable and irrecoverable.
To accomplish this goal, the DCSA directs organizations holding CUI and Covered Defense Information (CDI) to consult with the following governmental organizations for more detailed guidence. NIST 800-88 Guidelines for Media Sanitization or the National Security Agency – “NSA Media Destruction Guidence”
DEFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Security Reporting”.
This document addresses the security for Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) stored on digital media. The manual details acceptable equipment and methodology for hard drive destruction.
In addition, this document directs Defense Contractors to NIST 800-171 “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”. This document focuses on compliance when it comes time to dispose of digital media including hard drives, SSDs, magnetic backup tapes and CDs in their possession.