What's required to overwrite classified data

NISP sets the standards

Getting rid of data on a drive or disk can be difficult, because the hardware is designed to protect and maintain data for as long as possible.

You can erase or reformat a drive, but the data remains accessible to someone with a little forensics know-how and software. Destroying and degaussing a disk are effective, but they also render the hardware unusable. Erasure, which overwrites bits with new bits, can allow people to reuse a drive, although the Defense Department looks on it primarily as an added layer of protection in preparing a drive for destruction when the hardware carries classified data.


ALSO IN THIS REPORT:

Reusing hardware: Erase data but leave an audit trail


The National Industrial Security Program manages the requirements for private-sector contractors that have access to classified information. The NISP Operating Manual, DOD 5220.22-M, outlines requirements for getting rid of classified digital data. The manual recognizes two levels: clearing and sanitizing.

Blancco, which produces a tool that Santa Barbara County, Calif., and other federal and local agencies use, has begun the National Information Assurance Partnership's Common Criteria evaluation process. However, no overwriting product or process so far has completed evaluation for sanitizing. NISP uses National Security Agency guidance on overwriting in preparation for disposal or recycling, but it does not authorize use of overwriting for sanitization or downgrading — that is, release of hardware that processed classified information for use at a lower classification level.

Blancco said a German lab has certified its equipment as meeting DOD 5220.22-M requirements for overwriting data three or seven times with a predefined bit pattern.

About the Author

William Jackson is freelance writer and the author of the CyberEye blog.

Reader Comments

Fri, Dec 3, 2010

I believe the writer needs to review his comment that the NISPOM "does not authorize use of overwriting for sanitization or downgrading — that is, release of hardware that processed classified information for use at a lower classification level." in review of the DSS ISFO Process Manual dated 10 August 2010, identified amongst the changes to the manual, was the removal of paragraph 2.4.2 that reflected this mode of operation. So therethere are products listed on the NIAP CCEVS that can be used to sanitize classfied information systems or electronic media, coupled with trusted download procedures to arrive at IS and media being reused at a lower level classification.

Fri, Dec 3, 2010 Eric

A little expansion on the German product might have been nice.

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above