NSA Compliant Hard Drive Destruction
The National Security Agency (NSA) and Central Security Services (CSS) has put together a manual entitled NSA/CSS Storage Device Sanitization Manual 9-12 detailing the proper methodology and equipment required for NSA compliant hard drive destruction. In addition, the NSA/CSS Policy 6-22 “Handling of NSA/CSS Information Storage Media” assigns responsibilities for the secure handling of all NSA/CSS information media storage These policies and manuals detail the acceptable equipment and methodology for hard drive destruction.
The 3 Steps to Comply with NSA Hard Drive Destruction Requirements
Compliance begins prior to erasing, degaussing and/or shredding!
Record the serial number of each hard drive to be destroyed. Best practices, as well as NIST 800-88, require linking the hard drive to the originating machine and user. A Certificate of Destruction with a list of serial numbers does not tell the whole story. Where the drive came from and what information was stored on the drive is the true objective.
Once removed from machines, hard drives must be protected from access by unauthorized employees and visitors. Storing 100’s of drives in the company’s warehouse, unused office or a hired electronic recycling facility leads to pilfering and unauthorized access. By definition, this is a data breach.
Degauss and destroy. More specifically, degauss with a machine on the NSA Degausser Evaluated List. Cheaper and less powerful degaussing machines do not have enough magnetic force to penetrate heavily shielded server drives.
The destruction of the hard drive consists of “physically damaging by deforming the internal platters…” The NSA/CSS Policy Manual 9-12 “Storage Device Sanitization and Destruction Manual” does not require shredding the drive to a certain size.
NSA Listed disintegration shredder for SIM Cards, Department of Defense Common Access Cards “CAC ID”, EMV Credit Card, Magnetic Strip Card, CD, DVD, and BluRay disks down to 2mm (required by the NSA).