APPENDIX E
CLEARING, SANITIZING, AND RELEASING COMPUTER COMPONENTS
1. PURPOSE. The purpose of this annex is to provide guidance and procedures to clear and sanitize magnetic storage media that is no longer useable, requires transfer, or should be released from control. Personnel needing to destroy, degauss, overwrite, desclassify, downgrade, release or ship media from from AISs for all classification levels (to include COMSEC keying material, must follow the rules aand table E-1 of this Appendix. If an item is not contained in Table E-1, the headquarters level ISSPM must be contacted for directions.
2. SCOPE. These procedures are effective in the following life cycle phases: CONCEPTS DEVELOPMENT PHASE NO DESIGN PHASE NO DEVELOPMENT PHASE YES DEPLOYMENT PHASE YES OPERATIONS PHASE YES RECERTIFICATION PHASE YES DISPOSAL PHASE YES
3. RESPONSIBILITIES. The Information Systems Security Manager (ISSM) is responsible for the security of all ISs and media assigned to the organization and under his/her purview. To protect these assets, he/she must ensure the security measures and policies contained within this annex are followed. Additionally, the ISSM will publish supplemental organizational procedures (Standard Operating Procedures [SOPs], etc.), if needed, to implement the requirements herein.
4. PROCEDURES. The procedures contained below meet the minimum security requirements for the clearing, sanitizing, releasing, and disposal of magnetic media. These procedures will be followed when it becomes necessary to release magnetic media, regardless of classification, from Sensitive Compartmented Information (SCI) channels. Media that has ever contained SCI, other intelligence information, or Restricted Data can not be sanitized by overwriting; such media must be degaussed before release. Media that has ever contained Cryptographic (CRYPTO) material cannot be sanitized at all; it must be destroyed.
4.1 Review of Terms. To better understand the procedures contained herein, it should be understood that overwriting, clearing, purging, degaussing, and sanitizing are not synonymous with declassification. Additionally, the following definitions should be reviewed:
4.1.1 Clearing. Clearing is the process of eradicating the data on the media before the media is reused in an environment that provides an acceptable level of protection for the data that was previously on the media before clearing. In general, laboratory techniques allow the retrieval of information that has been cleared, but normal operations do not allow such retrieval. Clearing can be accomplished by overwriting or degaussing.
4.1.2 Sanitizing (Also Purging). Sanitizing is the process of removing the data on the media before the media is reused in an environment that does not provide an acceptable level of protection for the data that was on the media before sanitizing. In general, laboratory techniques cannot retrieve data that has been sanitized/purged. Sanitizing may be accomplished by degaussing.
4.1.3 Destroying. Destroying is the process of physically damaging the media to the level that the media is not usable as media, and so that there is no known method of retrieving the data.
4.1.4 Declassification. Declassification is a separate administrative process whose result is a determination that given media no longer requires protection as classified information. The procedures for declassifying media require Designated Approving Authority (DAA) or Service Certifying Organization (SCO) approval.
4.2 Overwriting Media. Overwriting is a software process that replaces the data previously stored on magnetic storage media with a predetermined set of meaningless data. Overwriting is an acceptable method for clearing; however, The effectiveness of the overwrite procedure may be reduced by several factors, including: ineffectiveness of the overwrite procedures, equipment failure (e.g., misalignment of read/write heads), or inability to overwrite bad sectors or tracks or information in inter-record gaps.
4.2.1 Overwriting Procedure. The preferred method to clear magnetic disks is to overwrite all locations three (3) times (the first time with a random character, the second time with a specified character, the third time with the complement of that specified character).
4.2.2 Overwrite Verification. The overwrite procedure must be verified by the ISSM or designee.
4.3 Degaussing Media. Degaussing (i.e., demagnetizing) is a procedure that reduces the magnetic flux on media virtually to zero by applying a reverse magnetizing field. Properly applied, degaussing renders any previously-stored data on magnetic media unreadable and may be used in the sanitization process. Degaussing is more effective than overwriting magnetic media.
4.3.1 Magnetic media is divided into three types (I, II, III) based on their coercivity. Coercivity of magnetic media defines the magnetic field necessary to reduce a magnetically-saturated material's magnetization to zero. The level of magnetic media coercivity must be ascertained prior to executing any degaussing procedure.
4.3.2 The individual performing the physical degaussing of a component must ensure that the capability of the degausser meets or exceeds the coercivity factor of the media, and that the proper type of degausser is used for the material being degaussed. The three types of degausser_s are: ¿"_¿ Type I. Used to degauss Type I media (i.e., media whose coercivity is no greater than 350 Oersteds [Oe]). ¿"_¿ Type II. Used to degauss Type II media (i.e., media whose coercivity is no greater than 750 Oe). ¿"_¿ Type III. Used to degauss Type III media (i.e. media whose coercivity is in excess of 750 Oe). Currently, there are no degaussers that can effectively degauss all Type III media. Some degaussers are rated above 750 Oe, and their specific approved rating will be determined prior to use.
4.3.3 Refer to the current issue of the National Security Agency (NSA) Information Systems Security Products and Services Catalogue (Degausser Products List Section), for the identification of degaussers acceptable for the procedures specified herein. These products will be periodically tested to assure continued compliance with the appropriate specification. National specifications provide a test procedure to verify continued compliance with the specification.
4.3.4 Once a degausser has been purchased and has become operational, the gaining organization must establish a SOP explaining how it will be used.
4.4 Sanitizing Media. Tables E-1 and E-2 provide instructions for sanitizing data storage media and system components.
4.5 Destroying Media. Data storage media will be destroyed in accordance with DAA/SCO approved methods.
4.5.1 Expendable Item Destruction. Expendable items (e.g., floppy diskettes) are not authorized to be released for reuse outside of the SCI community. If these items are damaged or no longer deemed usable, they will be destroyed. When destroying, remove the media (magnetic mylar, film, ribbons, etc.) from any outside container (reels, casings, hard cases or soft cases, envelopes, etc.) and dispose of the outside container in a regular trash receptacle.
TABLE E-1 SANITIZING DATA STORAGE MEDIA MEDIA TYPE PROCEDURE(S)
Magnetic Tape Type I a or b Type II b Type III Destroy
Magnetic Disk Packs Type I a or b Type II b Type III Destroy
Magnetic Disks Floppies Destroy
Bernoullis Destroy
Removable Hard Disks a or b or c
Non-Removable Hard Disks a or b or c
Optical Disks Read Only (including CD-ROMs) Destroy
Write Once, Read Many (WORM) Destroy Read Many, Write Many Destroy
PROCEDURES These procedures will be performed or supervised by the ISSO.
a. Degauss with a Type I degausser.
b. Degauss with a Type II degausser.
c. Overwrite all locations three times (first time with a random character, second time with a specified character, third time with the complement of the specified character).
TABLE E-2 SANITIZING SYSTEM COMPONENTS
TYPE OF COMPONENT PROCEDURE
Magnetic Bubble Memory a or b or c
Magnetic Core Memory a or b or d
Magnetic Plated Wire d or e
Magnetic-Resistive Memory Destroy
SOLID STATE MEMORY COMPONENTS:
Dynamic Random Access Memory (DRAM) (Volatile) Destroy if RAM is functioning d, then e and i if RAM is defective f, then e and i
Static Random Access Memory (SRAM) j
Programmable ROM (PROM) Destroy (see h)
Erasable Programmable ROM (EPROM/UVPROM) g, then c and i
Electronically Erasable PROM (EEPROM) d, then i
Flash EPROM (FEPROM) d, then i PROCEDURES T
hese procedures will be performed or supervised by the ISSO.
a. a. Degauss with a Type I degausser.
b. b. Degauss with a Type II degausser.
c. c. Overwrite all locations with any random character.
d. d. Overwrite all locations with a random character, a specified character, then its complement.
e. e. Remove all power, including batteries and capacitor power supplies from RAM circuit board.
f. f. Perform three power on/off cycles (60 seconds on, 60 seconds off each cycle, at a minimum).
g. g. Perform an ultraviolet erase according to manufacturer's recommendation, but increase time requirements by a factor of 3.
h. h. Destruction required only if ROM contained a classified algorithm or classified data.
i. I. Check with the DAA/SCO to see if additional procedures are required.
j. j. Store a random unclassified test pattern for a time period comparable to the normal usage cycle.
Cut the media into pieces (a crosscut chipper/shredder may be used to cut the media into pieces) and then burn all pieces in a secure burn facility. If the Environmental Protection Agency (EPA) does not permit burning of a particular magnetic recording item, it will be degaussed, cut into pieces (a chipper/shredder preferred) and disposed of in a regular trash receptacle.
4.5.2 Destruction of Removable Hard Disks and Disk Packs.
4.5.2.1 Removable Hard Disks. Removable hard disks are expendable items and are not authorized to be released for reuse outside of the SCI community unless they have been degaussed and declassified. Each item is considered classified to the highest level of data stored or processed on the IS in which it was used. If removable hard disks are damaged, or no longer deemed usable, they will be destroyed. If the platter(s) of the defective unit can be removed and the removal is cost effective, then destruction of a removable hard disk consists of dismantling the exterior case and removing the platter from the case. Local destruction of the platter consists of removing the magnetic surface by sanding.
4.5.2.2 Disk Packs. Each item is considered classified to the highest level of data stored or processed on the IS in which it was used. If disk packs are damaged, or no longer deemed usable, they will be destroyed. Local destruction of the platter consists of removing the magnetic surface by sanding.
4.6 Malfunctioning Media. Magnetic storage media that malfunctions or contains features that inhibit overwriting or degaussing will be reported to the Information System Security Officer (ISSO). The ISSO will coordinate the repair or destruction of the media with the ISSM and responsible DAA/SCO.
4.7 Release of Memory Components and Boards. Prior to the release of any malfunctioning components the following requirements will be met in respect to coordination, documentation, and written approval. This section applies only to components identified by the vendor or other technically-knowledgeable individual as having the capability of retaining user-addressable data; It does not apply to other items (e.g., cabinets, covers, electrical components not associated with data), which may be released without reservation. For the purposes of this annex, a memory component is considered to be the Lowest Replaceable Unit (LRU) in a hardware device. Memory components reside on boards, modules, and sub-assemblies. A board can be a module, or may consist of several modules and sub-assemblies. Unlike magnetic media sanitization, clearing may be an acceptable method of sanitizing components for release (see Table S-2). Memory components are specifically handled as either volatile or nonvolatile, as described below.
4.7.1 Volatile Memory Components. Memory components that do not retain data after removal of all electrical power sources, and when re-inserted into a similarly configured system do not contain residual data, are considered volatile memory components. Volatile components that have contained extremely sensitive or classified information may be released only in accordance with procedures developed by the ISSM or designee and stated in the Accreditation Support documentation. A record must be maintained of the equipment release indicating that, per a best engineering assessment, all component memory is volatile and that no data remains in or on the component when power is removed.
4.7.2 Nonvolatile Memory Components. Components that do retain data when all power sources are discontinued are nonvolatile memory components - including Read Only Memory (ROM), Programmable ROM (PROM), or Erasable PROM (EPROM), and their variants - that have been programmed at the vendor's commercial manufacturing facility, and are considered to be unalterable in the field, may be released. All other nonvolatile components (e.g., removable/non-removable hard disks) may be released after successful completion of the procedures outlined in Table S-2. Failure to accomplish these procedures will require the ISSM, or designee, to coordinate with the DAA/SCO to determine releasability.
4.7.3 Other Nonvolatile Media.
4.7.3.1 Visual Displays. A Visual Display may be considered to be sanitized if no sensitive information is etched into the Visual Display phosphor. The ISSO should inspect the face of the Visual Display without power applied. If sensitive information is visible, destroy the Visual Display before releasing it from control. If nothing is visible, the ISSO shall apply power to the Visual Display; then vary the intensity from low to high. If sensitive information is visible on any part of the Visual Display face, the Visual Display shall be destroyed before it is released from control.
4.7.3.2 Printer Platens and Ribbons. Printer platens and ribbons shall be removed from all printers before the equipment is released. One-time ribbons and inked ribbons shall be destroyed as sensitive material. The rubber surface of platens shall be sanitized by wiping the surface with alcohol.
4.7.3.3 Laser Printer Drums, Belts, and Cartridges. Laser printer components containing light-sensitive elements (e.g., drums, belts, complete cartridges) shall be sanitized before release from control.
4.7.3.3.1 Elements containing information that is classified, but is not intelligence information, can be considered sanitized after printing three printer font test pages.
4.7.3.3.2 Elements containing intelligence information shall be sanitized in accordance with the policy contained in the Director of Central Intelligence Directive (DCID) 1/21.
4.8 Release of Systems and Components. The ISSM, or designee, shall develop equipment removal procedures for systems and components and these procedures shall be stated in the Accreditation Support documentation. When such equipment is no longer needed, it can be released if: ¿"_¿ It is inspected by the ISSM, or designee. This inspection will assure that all media, including internal disks, have been removed or sanitized. ¿"_¿ A record is created of the equipment release indicating the procedure used for sanitization and to whom the equipment was released. The record of release shall be retained for a period prescribed by the DAA/SCO. ¿"_¿ Procedures specified by the DAA/SCO are used. Following release, administratively notify the DAA/SCO.
4.8.1 The National Security Agency/Central Security Service (NSA/CSS) Form G6522, shown in Figure S-1, or similar form/documentation, will be used to document the local release or disposal of any IS or component.
THIS PAGE INTENTIONALLY LEFT BLANK