Controlled Unclassified Information - Document, Hard Drive and Media Disposal

An XCCDF Rule

Description

<VulnDiscussion>Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Assistant Secretary of Defense for Command, Control, Communications and Intelligence Memorandum: "Disposition of Unclassified DOD Hard Drives, 4 June 2001." 44 USC Chapter 33 - Disposal of Records, dated 01/03/2012 CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND), Enclosure C, paragraphs 21.h.(9); 28.a.&c. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-6 and SI-12. DODI 8500.01, SUBJECT: Cybersecurity, March 14, 2014, paragraph 3.h. DOD Manual 5200.01, Volume 3, SUBJECT: DOD Information Security Program: Protection of Classified Information: Enclosure 3 paragraphs 17, 18, & 19; Enclosure 7, paragraph 6. DODI 5200.48 Controlled Unclassified Information (CUI) DOD 5200.22-M (NISPOM), Incorporating Change 2, 18 May 2016, 4-103.c., 5-203.b., and Chapter 5, Section 7 Disposition and Retention NIST SP 800-88, Guidelines for Media Sanitization NSA/CSS product lists for sanitization, destroying or disposing of various types of media containing sensitive or classified information: https://www.nsa.gov/Resources/Media-Destruction-Guidance The Information Security Oversight Office (ISOO): https://www.archives.gov/cui Satisfies: Controlled Unclassified Information - Document, Hard Drive and Media Disposal</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-245844r917354_rule
Severity: Medium
Updated: 9 months ago

Ensure compliance with appropriate methods for disposal of the following: 

1. Unclassified Hard Drives: 

a. When no longer needed, unclassified computer systems and hard drives may be disposed of outside the Department of Defense. In some circumstances, the equipment may be provided to non-government entities for reutilization. To ensure that no data or information remains on operable unclassified hard drives that are transferred or permanently removed from DOD custody, the drives must be sanitized by overwriting. 
b. Where overwriting is inappropriate or cannot be completely accomplished (e.g., inoperable disk) the drives are to be totally removed from service (i.e., thrown away). In this case the drives must be physically destroyed before disposal. 

c. The specific methods and procedures differ depending on sensitivity of data and ownership of the hard drive. To ensure DOD information is not inadvertently disclosed to unauthorized individuals, the activity security manager should coordinate with the local DAA and/or IT staff to ensure local procedures for disposal of computer hard drives appropriately address removal of U.S. Government data prior to disposal. (See Assistant Secretary of Defense for Command, Control, Communications and Intelligence Memorandum, Disposition of Unclassified DOD Computer Hard Drives, June 4, 2001 for detailed guidance.) Generally the use of Hard Drive degaussers with an appropriate strength (Coercivity of magnetic field) for the drive being erased (Oestrid rating) is recommended as part of the requirement for physical destruction. After degaussing the hard drive the physical destruction of individual platters should be accomplished to make attempted data retrieval impractical.

2. Unclassified Automated Information System (AIS) Media:

a. Various types of AIS media may contain CUI and must be disposed of in accordance with guidance in the NIST Special Publication 800-88, Guidelines for Media Sanitization. 

b. NSA/CSS publishes lists of products that meet specific performance criteria for sanitizing, destroying or disposing of various types of media containing sensitive or classified information. The lists are available at https://www.nsa.gov/Resources/Media-Destruction-Guidance.

3. Unclassified documents:

a. Record copies of FOUO documents shall be disposed of in accordance with the Federal Records Act (44 U.S.C. 33 and Component records management directives. 

b. Non-record FOUO documents may be destroyed by shredding or tearing into pieces and discarding the pieces in regular trash containers. 

c. NOTE: The guidance provided here is for FOUO paper documents and this is the least stringent standard found for any CUI document destruction. There are other types of CUI, such as DEA Sensitive material, which must be destroyed by a means approved for destruction of Confidential material. Be certain to check DOD Manual 5200.01 for specific destruction requirements for each type of CUI document. 

4. Additional considerations:

a. Periodically inspect recycle bins, regular trash, and the availability of shredders or collection containers for sensitive material. Ensure it is known who gets the recycling (especially if it contains CUI) and that it is disposed of properly. NOTE: If you find (e.g., in the trash) and can easily reconstruct any document marked FOUO (or other CUI document) and it contains extremely sensitive information such as PII (with SSN, etc.), this should be investigated and corrective actions taken immediately. 

b. While not required it is highly recommended using at least a cross cut shredder for destruction of CUI documents. Further, while a shred-all policy is also not required, this is another strong recommendation.

Controlled Unclassified Information - Document, Hard Drive and Media Disposal

Description

Remediation - Manual Procedure