Classified Destruction - Improper Disposal of Automated Information System (AIS) Hard Drives and Storage Media

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32111	IS-11.01.02	SV-42428r2_rule	PECS-1 PECS-2 PEDD-1	High

Description
Failure to properly destroy classified or sensitive material can lead to the loss or compromise of classified or sensitive information.

STIG	Date
Traditional Security	2013-07-11

Details

Check Text ( C-40661r9_chk )
Check to ensure classified systems equipment such as hard drives and media are properly sanitized (purged of all classified data so that recovery using known laboratory attack is not possible) before such equipment or media is disposed of or placed in use in a lower classification environment or an unclassified environment. Note 1: Clearing procedures using overwrite software is not sufficient to dispose of classified equipment or media (for instance by release to property disposal, vendors, or placement in trash) or to re-use it in an unclassified or lesser classification environment other than its original classification level. Clearing will only enable the equipment or media to be re-used within the original classified environment. NOTE 2: Be certain to read and apply specific guidance from Enclosure 3 and Enclosure 7 of Volume 3 of DoD Manual 5200.01. Important excerpts of this guidance follows: Classified IT storage media (e.g., hard drives) cannot be declassified by overwriting. Sanitization (which may destroy the usefulness of the media) or physical destruction is required for disposal. TACTICAL ENVIRONMENT: Applies in all environments whenever classified documents or materials are to be destroyed.

Check Text ( C-40661r9_chk )

Check to ensure classified systems equipment such as hard drives and media are properly sanitized (purged of all classified data so that recovery using known laboratory attack is not possible) before such equipment or media is disposed of or placed in use in a lower classification environment or an unclassified environment.

Note 1: Clearing procedures using overwrite software is not sufficient to dispose of classified equipment or media (for instance by release to property disposal, vendors, or placement in trash) or to re-use it in an unclassified or lesser classification environment other than its original classification level. Clearing will only enable the equipment or media to be re-used within the original classified environment.

NOTE 2: Be certain to read and apply specific guidance from Enclosure 3 and Enclosure 7 of Volume 3 of DoD Manual 5200.01. Important excerpts of this guidance follows:

Classified IT storage media (e.g., hard drives) cannot be declassified by overwriting.

Sanitization (which may destroy the usefulness of the media) or physical destruction is required
for disposal.
TACTICAL ENVIRONMENT: Applies in all environments whenever classified documents or materials are to be destroyed.

Fix Text (F-36067r4_fix)
Classified information system equipment such as hard drives and media must be properly sanitized (purged of all classified data so that recovery using known laboratory attack is not possible) before such equipment or media is disposed of or placed in use in a lower classification environment or an unclassified environment. Note 1: Clearing procedures using overwrite software is not sufficient to dispose of classified equipment or media (for instance by release to property disposal, vendors, or placement in trash) or to re-use it in an unclassified or lesser classification environment other than its original classification level. Clearing will only enable the equipment or media to be re-used within the original classified environment. NOTE 2: Sanitization and disposal must be IAW Enclosure 3 and Enclosure 7 of Volume 3 of DoD Manual 5200.01. Important excerpts of this guidance follows: Classified IT storage media (e.g., hard drives) cannot be declassified by overwriting. Sanitization (which may destroy the usefulness of the media) or physical destruction is required for disposal.

Fix Text (F-36067r4_fix)

Classified information system equipment such as hard drives and media must be properly sanitized (purged of all classified data so that recovery using known laboratory attack is not possible) before such equipment or media is disposed of or placed in use in a lower classification environment or an unclassified environment.

Note 1: Clearing procedures using overwrite software is not sufficient to dispose of classified equipment or media (for instance by release to property disposal, vendors, or placement in trash) or to re-use it in an unclassified or lesser classification environment other than its original classification level. Clearing will only enable the equipment or media to be re-used within the original classified environment.

NOTE 2: Sanitization and disposal must be IAW Enclosure 3 and Enclosure 7 of Volume 3 of DoD Manual 5200.01. Important excerpts of this guidance follows:

Classified IT storage media (e.g., hard drives) cannot be declassified by overwriting.

Sanitization (which may destroy the usefulness of the media) or physical destruction is required
for disposal.