STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020: STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020:SV-42428r3_rule
V-32111
Classified Material Destruction - Improper Disposal of AIS Hard Drives and Storage Media
IS-11.01.02
CAT I
10
For CLASSIFIED automated information system (AIS) data processing and/or storage equipment such as hard drives and media:
CLASSIFIED automated information system (AIS) data processing/storage devices such as system hard drives and media must be properly sanitized using approved NSA guidelines (purged of all classified data so that recovery using known laboratory attack is not possible) before such equipment or media is disposed of or placed in use (and/or stored) in a lower classification environment or an unclassified environment.
Note 1: Clearing procedures using overwrite software is not sufficient to dispose of classified equipment or media (for instance by release to property disposal, vendors, or placement in trash) or to re-use it in an unclassified or lesser classification environment other than its original classification level. Clearing will only enable the equipment or media to be re-used within the original classified environment.
NOTE 2: NSA guidance for classified equipment can be found in the NSA/CSA Policy Manual 9-12, NSA/CSS Storage Device Declassification Manual. Sanitization and disposal must also be IAW Enclosure 3 and Enclosure 7 of Volume 3 of DoD Manual 5200.01, which provides additional clarifying guidance for the DoD. Some important excerpts from this guidance pertaining to classified equipment and storage media follows:
Classified IT storage media (e.g., hard drives) cannot be declassified by overwriting.
Sanitization (which may destroy the usefulness of the media) or physical destruction is required for disposal.
NOTE 3: The specific methods and procedures for sanitization of classified hard drives or storage media differ depending on sensitivity of data, type of hard drive or storage media (magnetic, solid state, etc…) and ownership of the hard drive or storage media. To ensure DoD information is not inadvertently disclosed to unauthorized individuals, the activity security manager should coordinate with the local Authorizing Official (AO) and/or IT staff to ensure local procedures for disposal of computer hard drives appropriately address removal of U.S. Government data prior to disposal.
For CLASSIFIED automated information system (AIS) data processing and/or storage equipment such as hard drives and media:
Check to ensure data processing or storage devices are properly sanitized (purged of all classified data so that recovery using known laboratory attack is not possible) in accordance with current NSA guidance before such equipment or media is disposed of or placed in use (and/or stored) in a lower classification environment or an unclassified environment.
Note 1: Clearing procedures using overwrite software is not sufficient to dispose of classified equipment or media (for instance by release to property disposal, vendors, or placement in trash) or to re-use it in an unclassified or lesser classification environment other than its original classification level. Clearing will only enable the equipment or media to be re-used within the original classified environment.
NOTE 2: NSA guidance can be found in the NSA/CSA Policy Manual 9-12, NSA/CSS Storage Device Declassification Manual. Be certain to also read and apply specific guidance for the DoD from Enclosure 3 and Enclosure 7 of Volume 3 of DoD Manual 5200.01. Important excerpts from this guidance pertaining to disposal of classified equipment and storage media follow:
Classified IT storage media (e.g., hard drives) cannot be declassified by overwriting.
Sanitization (which may destroy the usefulness of the media) or physical destruction is required for disposal.
NOTE 3: The specific methods and procedures for sanitization of classified hard drives or storage media differ depending on sensitivity of data, type of hard drive or storage media (magnetic, solid state, etc…) and ownership of the hard drive or storage media. To ensure DoD information is not inadvertently disclosed to unauthorized individuals, the activity security manager should coordinate with the local Authorizing Official (AO) and/or IT staff to ensure local procedures for disposal of computer hard drives appropriately address removal of U.S. Government data prior to disposal.
TACTICAL ENVIRONMENT: Applies in all environments whenever classified documents or materials are to be destroyed.
V-32111
False
IS-11.01.02
For CLASSIFIED automated information system (AIS) data processing and/or storage equipment such as hard drives and media:
Check to ensure data processing or storage devices are properly sanitized (purged of all classified data so that recovery using known laboratory attack is not possible) in accordance with current NSA guidance before such equipment or media is disposed of or placed in use (and/or stored) in a lower classification environment or an unclassified environment.
Note 1: Clearing procedures using overwrite software is not sufficient to dispose of classified equipment or media (for instance by release to property disposal, vendors, or placement in trash) or to re-use it in an unclassified or lesser classification environment other than its original classification level. Clearing will only enable the equipment or media to be re-used within the original classified environment.
NOTE 2: NSA guidance can be found in the NSA/CSA Policy Manual 9-12, NSA/CSS Storage Device Declassification Manual. Be certain to also read and apply specific guidance for the DoD from Enclosure 3 and Enclosure 7 of Volume 3 of DoD Manual 5200.01. Important excerpts from this guidance pertaining to disposal of classified equipment and storage media follow:
Classified IT storage media (e.g., hard drives) cannot be declassified by overwriting.
Sanitization (which may destroy the usefulness of the media) or physical destruction is required for disposal.
NOTE 3: The specific methods and procedures for sanitization of classified hard drives or storage media differ depending on sensitivity of data, type of hard drive or storage media (magnetic, solid state, etc…) and ownership of the hard drive or storage media. To ensure DoD information is not inadvertently disclosed to unauthorized individuals, the activity security manager should coordinate with the local Authorizing Official (AO) and/or IT staff to ensure local procedures for disposal of computer hard drives appropriately address removal of U.S. Government data prior to disposal.
TACTICAL ENVIRONMENT: Applies in all environments whenever classified documents or materials are to be destroyed.
M
This rule and associated checks apply to Classified (SIPRNet) hard drives and storage media that contain either volatile or non-volatile memory or both. Volatile memory is generally completely purged/sanitized from a storage device upon removal of power (over a period of time depending on the storage device). The primary concern is with Non-volatile memory, which remains on a storage device permanently unless properly removed by NSA approved methods and/or they are physically destroyed.
2506