SPE1.1.0.2

MEDIA SANITIZATION TECHNIQUES NIST SP 800-88. Standards.

FPS Help



SUMMARY
(NIST SP 800-88)


Information systems capture, process, and store information using a wide variety of media. This information is not only located on the intended storage media but also on devices used to create, process, or transmit this information. These media may require special disposition in order to mitigate the risk of unauthorized disclosure of information and to ensure its confidentiality. Efficient and effective management of information that is created, processed, and stored by an information technology (IT) system throughout its life, from inception through disposition, is a primary concern of an information system owner and the custodian of the data.

With the use of increasingly sophisticated encryption, an attacker wishing to gain access to an organization’s sensitive information is forced to look outside the system itself for that information. One avenue of attack is the recovery of supposedly deleted data from media. These residual data may allow unauthorized individuals to reconstruct data and thereby gain access to sensitive information. Sanitization can be used to thwart this attack by ensuring that deleted data cannot be easily recovered.

When storage media are transferred, become obsolete, or are no longer usable or required by an information system, it is important to ensure that residual magnetic, optical, electrical, or other representation of data that has been deleted is not easily recoverable.

Sanitization refers to the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed.

Note : Wherever possible, excess equipment and media should be made available to schools and non-profit organizations to the extent permitted by law.



PURPOSES AND SCOPE OF DIGITAL DATA SANITATION


The information security concern regarding information disposal and media sanitization resides not in the media but in the recorded information. The issue of media disposal and sanitization is driven by the information placed intentionally or unintentionally on the media.

With the advanced features of today’s operating systems, electronic media used on a system should be assumed to contain information commensurate with the security categorization of the system’s confidentiality. If not handled properly, release of these media could lead to an occurrence of unauthorized disclosure of information.

Categorization of an information technology (IT) system in accordance with Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, is the critical first step in understanding and managing system information and media.

Тhe system owner should refer to NIST Special Publication (SP) 800-53, which specifies that:



DIFFERENT LEVELS SECURITY


CLEAR

One method to sanitize media is to use software or hardware products to overwrite storage space on the media with non-sensitive data. This process may include overwriting not only the logical storage location of a file(s) (e.g., file allocation table) but also may include all addressable locations. The security goal of the overwriting process is to replace written data with random data. Overwriting cannot be used for media that are damaged or not rewriteable. The media type and size may also influence whether overwriting is a suitable sanitization method [SP 800-36].

PURGE

Degaussing and executing the firmware Secure Erase command (for ATA drives only) are acceptable methods for purging. Degaussing is exposing the magnetic media to a strong magnetic field in order to disrupt the recorded magnetic domains. A degausser is a device that generates a magnetic field used to sanitize magnetic media. Degaussers are rated based on the type (i.e., low energy or high energy) of magnetic media they can purge. Degaussers operate using either a strong permanent magnet or an electromagnetic coil. Degaussing can be an effective method for purging damaged or inoperative media, for purging media with exceptionally large storage capacities, or for quickly purging diskettes. [SP 800-36].

DESTROY

There are many different types, techniques, and procedures for media destruction. If destruction is decided on because of the high security categorization of the information, then after the destruction, the media should be able to withstand a laboratory attack.

Optical mass storage media, including compact disks (CD, CD-RW, CD-R, CD-ROM), optical disks (DVD), and MO disks, must be destroyed by pulverizing, crosscut shredding or burning. When material is disintegrated or shredded all residues must be reduced to nominal edge dimensions of five millimeters and surface area of twenty-five square millimeters.


The DoD 5220.22-M method for data erasure first appeared in the early days of the data sanitization industry. When it was published by the U.S. Department of Defense (DoD) in the National Industrial Security Program Operating Manual (also known as “NISPOM,” “NISP Operating Manual,” or Department of Defense document #5220.22-M), it specified a process of overwriting hard disk drives (HDDs) with patterns of ones and zeros. The process required three secure overwriting passes and verification at the end of the final pass. This was in 1995, before the debut of smartphones and the widespread use of flash-based storage technologies.

In 2001, a DoD memo specified additional overwriting and verification methods that became accepted as part of the “standard.” The DoD 5220.22-M ECE method is an extended (7-pass) version of the DoD 5220.22-M. It runs the DoD 5220.22-M twice, with an extra pass (DoD 5220.22-M (C) Standard) sandwiched in between.

However, the latest version of the DoD 5220.22-M “standard,” hasn’t specified an overwriting pattern for erasing hard drives since at least 2006, though the 3-pass method is still standard practice when implemented.

In the most recent update, which occurred in 2021, the NISP Operating Manual became effective as a federal rule. Referred to as the “NISPOM rule,” it replaces the NISPOM previously issued as a DOD policy and, again, never specifies a method of data sanitization. Instead, it refers contractors to other government organizations (Cognizant Security Agencies, or CSAs).

Despite the absence of a current data erasure specification, the older 3-pass DoD 5220.22-M sanitization method is still one of the most common sanitization methods used in data destruction software, and in general, is often perceived as an industry standard in the U.S.

Today, DoD 522.22-M is readily available as a data wiping option, but has been superseded by other data sanitization standards such as those from the National Institute for Standards and Technology: NIST 800-88 Clear and NIST 800-88 Purge.

The DoD method is no longer recommended best practice but can be effective in some instances. It can sometimes also be required by your organization’s policies or other regulations. Increasingly, however, organizations are using NIST 800-88 sanitization methods to prevent unauthorized access of data and sanitize their data storage devices.

If your drives are no longer required, another method to achieve data sanitization is physical destruction through melting, crushing, incineration or shredding.

Physical destruction is not ideal if you want to reuse your drives, as they’ll be completely destroyed, but even this method isn’t necessarily absolute. If any disk pieces remain large enough after destruction (especially on SSDs), they can still contain recoverable information. Data erasure software, however, doesn’t leave information behind, and the disks can be reused after they’re erased preserving costs.

Whichever method you choose, whether it be physical destruction or data erasure software or both, your organization must first have policies in place to govern hard drive disposal and data sanitization for other IT assets, including servers, laptops and removable media. These policies should include training for employees so that they can take proven steps to keep data out of harm’s way. The U.S. Federal Trade Commission’s Fair and Accurate Credit Transactions Act (FACTA) rule is one of the many regulations that governs the proper storage and disposal of specific consumer information and requires that such information is disposed of properly.

The best way to ensure data removal for the highest security environments is to combine software-based data erasure with physical destruction. That way, there’s absolutely no chance the data can be recovered from any fragments because it has been removed completely.

In the IT asset disposition (ITAD) space, operators and customers often cite a “DoD certification,” but the reality is that no such certification exists. Instead, the U.S. Department of Defense adheres to NIST 800-88 Guidelines for Media Sanitization. However, even this is a guideline, not a certification. And, as previously mentioned, most government and other regulations and certification programs now cite NIST SP 800-88 media erasure guidelines not DoD 5220.22-M.


Guidelines For Media Sanitization



Relationship To Government Publishing



USA Standards



Rules For The Protection Personal Data


Relationship To Other NIST Documents
( Standards for Security Categorization of Federal Information and Information, FIPS 199 )


  • NIST SP 800-60, (Guide for Mapping Types of Information and Information Systems to Security Categories) provides guidance for establishing the security categorization for a system’s confidentiality. This categorization will impact the level of assurance an organization should require in making sanitization decisions.

  • FIPS 200, (Minimum Security Requirements for Federal Information and Information Systems) sets a base of security requirements that requires organizations to have a media sanitization program.

  • NIST SP 800-53, (Recommended Security Controls for Federal Information Systems) provides minimum recommended security controls, including sanitization, for Federal systems based on their overall system security categorization.

  • NIST SP 800-53A, (Guide for Assessing the Security Controls in Federal Information Systems) provides guidance for assessing security controls, including sanitization, for federal systems based on their overall system security categorization.





  Contents