STIGQter STIGQter: STIG Summary: Traditional Security Checklist Version: 1 Release: 3 Benchmark Date: 15 Jun 2020:

Controlled Unclassified Information - Document, Hard Drive and Media Disposal

DISA Rule

SV-42497r3_rule

Vulnerability Number

V-32180

Group Title

Controlled Unclassified Information - Document, Hard Drive and Media Disposal

Rule Version

IS-16.02.02

Severity

CAT II

CCI(s)

Weight

10

Fix Recommendation

Ensure compliance with appropriate methods for disposal of the following:

1. Unclassified Hard Drives:

a. When no longer needed, unclassified computer systems and hard drives may be disposed of outside the Department of Defense. In some circumstances, the equipment may be provided to non-government entities for reutilization. To ensure that no data or information remains on operable unclassified hard drives that are transferred or permanently removed from DoD custody, the drives must be sanitized by overwriting.

b. Where overwriting is inappropriate or cannot be completely accomplished (e.g., inoperable disk) the drives are to be totally removed from service (i.e., thrown away). In this case the drives must be physically destroyed before disposal.

c. The specific methods and procedures differ depending on sensitivity of data and ownership of the hard drive. To ensure DoD information is not inadvertently disclosed to unauthorized individuals, the activity security manager should coordinate with the local DAA and/or IT staff to ensure local procedures for disposal of computer hard drives appropriately address removal of U.S. Government data prior to disposal. (See Assistant Secretary of Defense for Command, Control, Communications and Intelligence Memorandum, Disposition of Unclassified DoD Computer Hard Drives, June 4, 2001 for detailed guidance.) Generally the use of Hard Drive degaussers with an appropriate strength (Coercivity of magnetic field) for the drive being erased (Oestrid rating) is recommended as part of the requirement for physical destruction. After degaussing the hard drive the physical destruction of individual platters should be accomplished to make attempted data retrieval impractical.

2. Unclassified Automated Information System (AIS) Media:

a. Various types of AIS media may contain CUI and must be disposed of in accordance with guidance in the NIST Special Publication 800-88, Guidelines for Media Sanitization.

b. NSA/CSS publishes lists of products that meet specific performance criteria for sanitizing, destroying or disposing of various types of media containing sensitive or classified information. The lists are available at http://www.nsa.gov/ia/guidance/media_destruction_guidance/index.shtml or by calling (410)854-6358.

3. Unclassified documents:

a. Record copies of FOUO documents shall be disposed of in accordance with the Federal Records Act (44 U.S.C. 33 and Component records management directives.

b. Non-record FOUO documents may be destroyed by shredding or tearing into pieces and discarding the pieces in regular trash containers.

c. NOTE: The guidance provided here is for FOUO paper documents and this is the least stringent standard found for any CUI document destruction. There are other types of CUI, such as DEA Sensitive material, which must be destroyed by a means approved for destruction of Confidential material. Be certain to check DoD Manual 5200.01 for specific destruction requirements for each type of CUI document.

4. Additional considerations:

a. Periodically inspect recycle bins, regular trash, and the availability of shredders or collection containers for sensitive material. Ensure it is known who gets the recycling (especially if it contains CUI) and that it is disposed of properly. NOTE: If you find (ie. in the trash) and can easily reconstruct any document marked FOUO (or other CUI document) and it contains extremely sensitive information such as PII (with SSN, etc) - this should be investigated and corrective actions taken immediately.

b. While not required it is highly recommended using at least a cross cut shredder for destruction of CUI documents. Further, while a shred-all policy is also not required, this is another strong recommendation.

Check Contents

Check to ensure compliance with appropriate methods for disposal of the following:

1. Unclassified Hard Drives:

a. When no longer needed, unclassified computer systems and hard drives may be disposed of outside the Department of Defense. In some circumstances, the equipment may be provided to non-government entities for reutilization. To ensure that no data or information remains on operable unclassified hard drives that are transferred or permanently removed from DoD custody, the drives must be sanitized by overwriting.

b. Where overwriting is inappropriate or cannot be completely accomplished (e.g., inoperable disk) the drives are to be totally removed from service (i.e., thrown away). In this case the drives must be physically destroyed before disposal.

c. The specific methods and procedures differ depending on sensitivity of data and ownership of the hard drive. To ensure DoD information is not inadvertently disclosed to unauthorized individuals, the activity security manager should coordinate with the local DAA and/or IT staff to ensure local procedures for disposal of computer hard drives appropriately address removal of U.S. Government data prior to disposal. (See Assistant Secretary of Defense for Command, Control, Communications and Intelligence Memorandum, Disposition of Unclassified DoD Computer Hard Drives, June 4, 2001 for detailed guidance.) Generally the use of Hard Drive degaussers with an appropriate strength (Coercivity of magnetic field) for the drive being erased (Oestrid rating) is recommended as part of the requirement for physical destruction. After degaussing the hard drive the physical destruction of individual platters should be accomplished to make attempted data retrieval impractical.

2. Unclassified Automated Information System (AIS) Media:

a. Various types of AIS media may contain CUI and must be disposed of in accordance with guidance in the NIST Special Publication 800-88, Guidelines for Media Sanitization.

b. NSA/CSS publishes lists of products that meet specific performance criteria for sanitizing, destroying or disposing of various types of media containing sensitive or classified information. The lists are available at http://www.nsa.gov/ia/guidance/media_destruction_guidance/index.shtml or by calling (410)854-6358.

3. Unclassified documents:

a. Record copies of FOUO documents shall be disposed of in accordance with the Federal Records Act (44 U.S.C. 33 and Component records management directives.

b. Non-record FOUO documents may be destroyed by shredding or tearing into pieces and discarding the pieces in regular trash containers.

c. NOTE: The guidance provided here is for FOUO paper documents and this is the least stringent standard found for any CUI document destruction. There are other types of CUI, such as DEA Sensitive material, which must be destroyed by a means approved for destruction of Confidential material. Be certain to check DoD Manual 5200.01 for specific destruction requirements for each type of CUI document.

4. Additional reviewer checks and considerations:

a. Check recycle bins, regular trash, and the availability of shredders or collection containers for sensitive material. Ensure the organization knows who gets the recycling (especially if it contains CUI) and that it is disposed of properly (for instance by shredding). NOTE: If you find (ie. in the trash) and can easily reconstruct any document marked FOUO (or other CUI document) and it contains extremely sensitive information such as PII (with SSN, etc) - this should be made a finding.

b. In all cases the reviewer should recommend using at least a cross cut shredder for destruction of CUI documents. Further, while a shred-all policy is not required, this is another recommendation that should be made.

TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where training and associated documentation should be in place. Not applicable to a field/mobile environment.

Vulnerability Number

V-32180

Documentable

False

Rule Version

IS-16.02.02

Severity Override Guidance

Check to ensure compliance with appropriate methods for disposal of the following:

1. Unclassified Hard Drives:

a. When no longer needed, unclassified computer systems and hard drives may be disposed of outside the Department of Defense. In some circumstances, the equipment may be provided to non-government entities for reutilization. To ensure that no data or information remains on operable unclassified hard drives that are transferred or permanently removed from DoD custody, the drives must be sanitized by overwriting.

b. Where overwriting is inappropriate or cannot be completely accomplished (e.g., inoperable disk) the drives are to be totally removed from service (i.e., thrown away). In this case the drives must be physically destroyed before disposal.

c. The specific methods and procedures differ depending on sensitivity of data and ownership of the hard drive. To ensure DoD information is not inadvertently disclosed to unauthorized individuals, the activity security manager should coordinate with the local DAA and/or IT staff to ensure local procedures for disposal of computer hard drives appropriately address removal of U.S. Government data prior to disposal. (See Assistant Secretary of Defense for Command, Control, Communications and Intelligence Memorandum, Disposition of Unclassified DoD Computer Hard Drives, June 4, 2001 for detailed guidance.) Generally the use of Hard Drive degaussers with an appropriate strength (Coercivity of magnetic field) for the drive being erased (Oestrid rating) is recommended as part of the requirement for physical destruction. After degaussing the hard drive the physical destruction of individual platters should be accomplished to make attempted data retrieval impractical.

2. Unclassified Automated Information System (AIS) Media:

a. Various types of AIS media may contain CUI and must be disposed of in accordance with guidance in the NIST Special Publication 800-88, Guidelines for Media Sanitization.

b. NSA/CSS publishes lists of products that meet specific performance criteria for sanitizing, destroying or disposing of various types of media containing sensitive or classified information. The lists are available at http://www.nsa.gov/ia/guidance/media_destruction_guidance/index.shtml or by calling (410)854-6358.

3. Unclassified documents:

a. Record copies of FOUO documents shall be disposed of in accordance with the Federal Records Act (44 U.S.C. 33 and Component records management directives.

b. Non-record FOUO documents may be destroyed by shredding or tearing into pieces and discarding the pieces in regular trash containers.

c. NOTE: The guidance provided here is for FOUO paper documents and this is the least stringent standard found for any CUI document destruction. There are other types of CUI, such as DEA Sensitive material, which must be destroyed by a means approved for destruction of Confidential material. Be certain to check DoD Manual 5200.01 for specific destruction requirements for each type of CUI document.

4. Additional reviewer checks and considerations:

a. Check recycle bins, regular trash, and the availability of shredders or collection containers for sensitive material. Ensure the organization knows who gets the recycling (especially if it contains CUI) and that it is disposed of properly (for instance by shredding). NOTE: If you find (ie. in the trash) and can easily reconstruct any document marked FOUO (or other CUI document) and it contains extremely sensitive information such as PII (with SSN, etc) - this should be made a finding.

b. In all cases the reviewer should recommend using at least a cross cut shredder for destruction of CUI documents. Further, while a shred-all policy is not required, this is another recommendation that should be made.

TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where training and associated documentation should be in place. Not applicable to a field/mobile environment.

Check Content Reference

M

Target Key

2506

Comments