8 September 2000. Thanks to RT.
[27 pages; all pages marked "FOR OFFICIAL USE ONLY."]
| BY ORDER OF THE SECRETARY OF THE AIR FORCE |
AIR FORCE SYSTEM SECURITY INSTRUCTION 5020 Communications and Information REMANENCE SECURITY |
This instruction provides guidelines and procedures for clearing and sanitizing various automated information systems (AIS) media for release outside of and for reuse within controlled environments. Contained herein is a compilation of the latest information available on sanitizing, destroying, and releasing of information storage media. Individual sections, when discussed outside of the context of this Instruction, are "Unclassified." The accumulated body of knowledge represented in this Instruction, along with the discussions of known vulnerabilities and assessment of risks, is "For Official Use Only." The term "Major Command" (MAJCOM), as used in this instruction, also includes the Headquarters, United States Air Force, Field Operating Agencies (FOA) and Direct Reporting Units (DRU). Refer questions and comments on technical contents of this instruction, or recommended changes through appropriate command channels to Headquarters, Air Force Command, Control, Communications and Computer Agency, Information Protection Division (HQ AFC4A/SYS), 203 W. Losey St., Room 2040, Scott AFB IL 62225-5234.
SUMMARY OF REVISIONS
This instruction now includes procedures for handling laser printer toner cartridges, flash memory, and limited sanitizing options for networks.
| Supercedes AFSSI 5020, 15 April 1991 OPR: HQ AFCA/SYSS (MSgt Michael E. Bishop) |
Certified by: HQ AFCA/SYS (Ronald G. Goessman) |
(Paragraph number follows title)
Chapter 1--General Information
Purpose 1
Glossary of References, Abbreviations, Acronyms, and Terms 1.1
Introduction 1.2
Objective 1.3
Applicability 1.4
Responsibilities 1.5
General 2
Handling Sensitive AIS Storage Media 2.1
Clearing Storage Media 2.2
Sanitizing Storage Media 2.3
Overwrite Programs/Routines 2.4
Destruction 2.5
Chapter 3--Magnetic Storage Media
General 3
Magnetic Tapes 3.1
Floppy Disks, Diskettes, and Magnetic Cards 3.2
Sealed Disk Drives, Hard Disks, Hard Disk Assemblies (HDA), Bernoulli Cartridges, and PC (Memory) Cards 3.3
Removable Disk Packs 3.4
Magnetic Drums 3.5
Chapter 4--Magnetic Memory Devices
General 4
Core Memory 4.1
Plated Wire Memory 4.2
Thin Magnetic Films 4.3
Magnetic Bubble Memory 4.4
Chapter 5--Semiconductor Devices
General 5 Electrically Erasable Programmable Read Only Memory (EEPROM) and Electronically Alterable Read Only Memory (EAROM) 5.1
Erasable Programmable Read Only Memory (EPROM) and Ultraviolet Programmable Read Only Memory (UVPROM) 5.2
Flash Memory 5.3
Programmable Read Only Memory (PROM) 5.4
Read Only Memory (ROM) 5.5
Random Access Memory (RAM), Battery-Backed RAM, Dynamic RAM, and Static RAM 5.6
Chapter 6--Optical Storage Media
General 6
Read Only Optical Disks (CD-ROM) 6.1
Write Once, Read Many (WORM) Optical Disks 6.2
Erasable Optical Disks 6.3
Chapter 7--System Components, Printers, and Output Media
General 7
Display Devices Cathode Ray Tube (CRT) 7.1
Ferro-Electric Memory and Ferro-Optical Storage 7.2
Laser Printers/Printing Systems 7.3
Impact Printer Ribbons 7.4
Equipment 7.5
Destruction ProceduresPaper Materials 7.6
Wafers and Chips 7.7
Packaged Circuits 7.8
Glass Masks 7.9
1. Glossary of References, Abbreviations, Acronyms, and Terms
2. Risk Determination
3. Nominal Coercivity of Various Storage Media
4. Degaussers
5. DAA Guide to SanitizingPurging Contaminated Systems/Networks
Tables
2.1. Media Destruction Methods
A3.1. Nominal Coercivity for Various Storage Media
A5.1. Sanitization Option and Inputs
A5.2. Determination of Sanitization Types
GENERAL INFORMATION
1. Purpose. This instruction implements the Air Force Computer Security (COMPUSEC) Program by addressing requirements in the area of remanence security. Magnetic remanence is the magnetic representation of residual information that remains on automated information systems’ (AIS) storage media after it is erased by overwriting, degaussing, and so on. Remanence security is the use of prescribed safeguards and controls to prevent reconstruction or disclosure of sensitive information to persons who do not have the proper clearance or need-to-know for this information. (NOTE: "sensitive information," as used in this document, refers to both classified and sensitive but unclassified [SBU] information.) Specifically, this instruction provides:
- A discussion of the known threats and vulnerabilities (risk) associated with clearing, sanitizing, and destroying storage media.- Procedures for clearing storage media, and the restrictions on the cleared media’s reuse thereafter.
- Procedures for sanitizing storage media and other AIS components (ei.ge., Cathode Ray Tubes [CRT], laser printers, etc.). The end result of the sanitization process is media and AISs that are no longer classified.
- Approved destruction techniques for storage media, printer ribbons, etc.
1.1. Glossary of References, Abbreviations, Acronyms, and Terms. See attachment 1 and AFMAN 33-270, Command, Control, Communications, and Computer (C4) Systems Security Glossary.
1.2. Introduction. During the life cycle of an AIS, its primary and secondary storage media isare sometimes reused, released, or destroyed. In addition, the sensitive information stored on the media may be downgraded or declassified. Thus, computer systems security officers (CSSO), operators, and users must develop procedures for clearing, sanitizing, and destroying media. These procedures must strike a balance between the risk of inadvertent disclosure of sensitive information and operational necessity.
1.3. Objective. All Air Force personnel must prevent accidental disclosure of processed or stored sensitive information, especially during system hardware, firmware, or software upgrade or replacement. To do this, they must be knowledgeable of clearing, sanitizing, and destroying procedures and have the tools available to assist them. To meet these two objectives, this instruction provides the necessary remanence security procedures for most all types of storage media used in current AISs. These procedures should provide designated approving authorities (DAA) with an acceptable level of protection; if not, DAAs may supplement them to meet their operational needs.
1.4. Applicability.
1.4.1. This instruction applies to all Air Force military and civilian personnel and to Air Force contractors who develop, acquire, deliver, use, operate, or manage Air Force AISs (including embedded).
1.4.2. U.S. SIGINT System users must comply with NSA/CSS Manual 130-2, Media Declassification and Destruction Manual.
1.4.3. Storage media that contain classified COMSEC keying material marked "CRYPTO" may not be declassified, but must retain the highest classification of any information previously recorded until destruction. COMSEC managers should consult the appropriate controlling authority for disposition instructions and review NSA/CSS Manual 130-2 for additional information.
1.4.4. Some storage media may contain information so sensitive that procedures in this document may not meet the requirements of the cognizant security authority. Examples of sensitive information categories where declassification is controlled by other agency rules are: sensitive compartmented information (SCI), single integrated operational plan (SIOP), special access required (SAR), and North Atlantic Treaty Organization (NATO) information. In these cases, follow the guidance provided for that category of information.
1.5. Responsibilities. The following responsibilities pertain to remanence security:
15.1. Designated Approving Authority (DAA): approves the use of hardware, firmware, and software (e.g., programs, routines, equipment, etc.), and the procedures for clearing, sanitizing, and destroying storage media.
1.5.2. Wing Information Protection (IP) Office: maintains information on the nearest incinerators, metal destruction facilities, and personnel who are trained in the use of chemical disk surface removers.
1.5.3. Computer Systems Security Officer (CSSO):
1.5.3.1. Develops and maintains DAA approved procedures for clearing, sanitizing, and destroying, storage media.
1.5.3.2. Provides information on remanence security to users, operations personnel, and DAAs, so that they can make informed remanence security decisions based on known risks, regulatory requirements, and established procedures.
1.5.3.3. Provides written approval (based on DAA approved procedures) to sanitize or release unsanitized storage media from Air Force control.
1.5.3.4. Maintains records of sanitization of media, and downgrade or declassification of stored information, according to AFI 31-401.
1.5.3.5. Consults with the Wing IP Office, MAJCOM Information Protection Office, Wing Information Protection Office, or HQ AFC4A/SYS whenever operational necessity requires the use of procedures other than those listed in this instruction.
1.5.4. Systems Programmers/Analysts: tests and evaluates overwrite routines for compliance with this instruction. These individuals may either develop these routines or obtain them from other sources. (NOTE: development of new routines should be the last choice--after a search of the Evaluated products List and Assessed Products List have failed to turn up a suitable program.) They should also develop user/operator procedures and submit them to the DAA for approval.
BASIC PROCEDURES
2. General. The proliferation of various types of AIS storage media (e.g.,
magnetic tapes and disks, optical media, solid state semiconductor memory,
etc.) has resulted in the development of separate procedures for clearing,
sanitizing, and destruction. The procedures in this chapter apply to all
types of storage media and must be applied along with the procedures for
the specific storage media in chapters 3-7.
2.1. Handling Sensitive AIS Storage Media:
2.1.1. Before using storage media for the first time, you should overwrite
the media with an unclassified data pattern. This precaution will help prevent
recovery of data stored later.
2.1.2. WritableWritable storage media that retains data after power is removed
(nonvolatile) must be protected for the highest classification of information
processed or stored on the AIS. Retain classification controls until the
media is sanitized or destroyed in an approved manner.
2.1.3. Cleared storage media retains its previous classification unless reused
at a higher classification. Use a Standard Form (SF) 711, ADP Media Data
Descriptor Label, annotate it "cleared" and include the date and agency/office
clearing the media. Mark and control (per AFI 31-401) the media at the highest
classification level recorded on it.
2.1.4. After the data owner (functional office of primary responsibility
[OPR]) provides evidence that stored information is no longer classified,
declassify media by removing the classification markings. If the information
is no longer needed, sanitize or destroy the media as SBU. Maintain a record
of declassification as required by AFI 31-401, Information Security Program
Management, or other applicable directives.
2.1.5. After the data owner (functional OPR) provides evidence that stored
information has been reclassified at a lower level (downgraded), change the
classification labels and control the media at the new classification level.
2.1.6. Unless prohibited by other policies, sanitized storage media is
unclassified. Sanitize storage media whenever there is a need to make it
unclassified. In particular, sanitize storage media prior to deletion from
the Air Force inventory or transfer to a hardware/ software reuse repository.
2.1.7. During sanitization of storage media, audit the sanitizing process
to ensure data is no longer retrievable. This means a person knowledgeable
of the process should witness the sanitizing action, then verify (if possible)
that the media was in fact sanitized.
2.1.8. If features or malfunctions of the storage mediuma inhibits its clearing
or sanitizing, develop customized procedures on a case-by-case basis. Consult
your CSSO, your wing or MAJCOM Information Protection Office, or HQ AFCA/SYS,
when there is any question concerning specific clearing or sanitizing procedures.
2.1.9. Evaluate the risk factors (attachment 2) prior to clearing, sanitizing,
or releasing any storage media.
2.2. Clearing Storage Media. Clearing removes sensitive information from
AIS storage media in a manner that renders it unrecoverable by normal system
utilities or nontechnical means. Routines that only remove pointers and leave
data intact (i.e., delete or format) are not acceptable methods of clearing
storage media. Clearing can be used when the secured physical environment
(where the media is used) is maintained. In other words, the media is reused
within the same AIS and environment. Procedures for clearing are:
2.2.1. Clear storage media when changing modes of operation or prior
to reuse at a higher classification level.
2.2.2. Clear storage media that contained SBU information before reuse or
release from Air Force control.
2.2.3. Ensure the classification markings, for the highest classification
processed, remain on the media. Use a Standard Form (SF) 711 to annotate
in the comment block that the media is "cleared." Also, include the date
and the agency/office clearing the storage mediaum.
2.2.4. Protect the cleared media appropriately.
2.2.5. Follow additional clearing procedures in chapters 3 through 7.
2.3. Sanitizing Storage Media. Sanitizing removes sensitive information from
storage media in a manner that gives assurance that the information is
unrecoverable by technical means. To prevent unauthorized disclosure, all
storage media must be sanitized prior to release to individuals that do not
have a security clearance and need-to-know for the information stored on
the media. Examples of where sanitization is appropriate are: when the secured
physical environment (where the media was used) will not be maintained; when
the media is scheduled to be released from a secure facility to a non-cleared
maintenance facility; and when the media is inadvertently contaminated with
data of a higher classification level than authorized. Storage media
inadvertently exposed to a higher classification or category of data than
allowed, must be sanitized prior to resuming normal operations at the intended
classification level. The DAA should refer to attachment 6 to determine the
best course of action. DAAs should strive to maintain a balance between mission
requirements and the risk of unauthorized disclosure of information. Basic
sanitization steps are:
2.3.1. Disconnect the AIS from any external network.
2.3.2. Storage media containing SBU information do not require sanitizing;
clear them according to procedures for the specific storage media (see chapters
3-7). Then remove the any labels or markings indicating SBU category or use.
2.3.3. Except for magnetic computer disks, ensure the storage media’s
coercivity of the storage media does not exceed the rating of the degausser
when degaussing. In other words, the media degausser must have a nominal
coercivity rating less than or equal to or higher thanthe degausser. the
media.
2.3.4. Sanitize classified storage media according to procedures for the
specific storage media (chapters 3-7). Ensure all types of storage media
(i.e., disks, RAM, buffers, etc.) contained in the AIS are sanitized. NOTE:
routines that only remove pointers and leave data intact (i.e., delete or
format) are not acceptable methods of sanitizing storage media.
2.3.5. After sanitizing, verify the success of the sanitize by reviewing
the media for data retention. For example, if an overwrite routine is used
to sanitize an AIS’s hard disk, dump random short sectors, blocks, or
memory contents and verify that only the last character written is all that
can be read. Where possible, review at least 10 percent of the media. NOTE:
the DAA must accept the risk regardless of the percentage reviewed.
2.3.6. Prepare and submit a memorandum that includes a description of the
sanitized mediaum (e.g., type, manufacturer, serial number, etc.), the
classification level, a short description of the sanitizing procedures, and
the purpose of the sanitization (e.g., declassification, downgrade, release
or disposal of media, etc.). Also, as noted in paragraphs 2.1.4 and 2.1.5,
document the authority for the downgrade or declassification. Submit the
memorandum to the CSSO for approval.
2.3.7. After carefully reviewing the memorandum (from above) and weighing
the risks, the CSSO approves or disapproves the sanitization. If the CSSO
approves, remove all classification labels and markings indicating previous
classification or use. If the CSSO disapproves, the media must continue to
be marked and controlled at the same classification level as before.
2.3.8. Follow additional sanitizing procedures in chapters 3 through 7.
2.4. Overwrite Programs/Routines. Overwriting is an authorized method of
clearing and sanitizing many types of magnetic media. The overwriting is
implemented by a commercial, service, or locally developed computer program
or routine. These programs must comply with the following:
2.4.1. Ensure the read and write device hardware is functioning properly
before beginning this procedure (see paragraph A2.4).
2.4.2. Overwrite programs (software routines) must write to every addressable
location on the media. In other words, the program must write to active and
inactive file space, bad sectors and tracks, the space between the end of
a file and the end of a block or sector, file allocation tables, directories,
block maps, etc.
2.4.3. The overwrite program must perform the clear or sanitize as described
for the storage medium (see chapters 3-76).
2.4.4. Use overwrite programs evaluated by the National Computer Security
Center (NCSC) or assessed by the Air Force. When no evaluated or assessed
product is available, the DAA may approve the use of a commercial program
designed to overwrite data. The using organization must assess the performance
of the program. Systems programmers and analysts must carefully test and
validate the performance of this software against the requirements of this
instruction. The program documentation must fully explain all functions
performed; the program should perform no undocumented functions. Submit the
test report to HQ AFCA/SYS for review.
2.4.5. Where no commercial overwriting software is available, systems programmers
must develop computer programs or routines to perform the overwrite. Ensure
configuration control is maintained for the software,; that is, the version
that is tested and approved, must be the only one that is used. The programmer
must test and certify the program against the requirements in this instruction
and develop procedures for proper use. Include the procedures in the Security
Features Users Guide or a local operating instruction.
2.4.6. The DAA must approve, in writing, the use of programs or routines
for sanitizing computer storage. The easiest way to comply with this requirement
is to include remanence security procedures in the systems security policy.
2.4.7. Follow additional procedures in chapters 3 through 7.
2.5. Destruction. It is a good practice to sanitize media before submitting
it for destruction. Media may generally be destroyed by one of the following
methods (see Table 2.1). (NOTE: Although approved methods, options
d and e use acid, which is dangerous and excessive, to remove recording surfaces.
Options a, b, and c are recommended over d and e.)
Table 2.1. Media Destruction Methods
Option
a
b
c
d
e
MAGNETIC STORAGE MEDIA
3. General. This chapter outlines remanence security procedures for magnetic
tapes, floppy disks, diskettes, magnetic cards, removable disk packs (e.g.,
single and multiple platter), sealed disk drives (Winchester drives), hard
disks, hard disk assemblies (HDAs), Bernoulli cartridges, and magnetic drums.
In addition, memory PC Cards (i.e., Type III and ATA PC Cards) may be formatted,
written to, and read from, just like hard disks. Apply the hard disk procedures
in paragraph 3.3 to those media. Attachment 3 lists the coercivity of many
types and brands of magnetic disks and tapes. This information is necessary
to determine the appropriate type of degausser that can be used to clear
or sanitize media. Refer to attachment 4 for a summary of clearing, sanitizing,
and destroying procedures. See the following warnings:
WARNING: In addition to having hard disks, PC Cards and PCMCIA Cards may
contain multiple, non-contiguous, similar or dissimilar, storage media. This
may include Static RAM, Flash, DRAM, ROM, PROM, EPROM, and EEPROM, along
with the hard disk. This presents CSSOs and DAAs with a formidable task when
clearing or sanitizing the storage media. Each type of memory has procedures
that must be followed to render the information it contains irretrievable.
When in doubt, check with the product vendor, or your Wing Information Protection
Office, your MAJCOM Information Protection Office, or contact HQ AFCA/SYS
for guidance.
WARNING: MS-DOS, PC-DOS, and other similar operating systems have peculiarities
that affect clearing and sanitizing files by overwriting. Retrieving and
editing a stored file, then saving it, may result in writing the file to
a different location on the media. Clearing or sanitizing this file by
overwriting could leave older versions on the media.
3.1. Magnetic Tapes.
3.1.1. Clearing.
3.1.1.1. Although you can overwrite magnetic tapes (reel and cassette formats),
this method of clearing is generally never used. This is because inter-record
gaps may preclude proper clearing and the process is time consuming. A better
method for clearing tapes is degaussing them with a Type I or Type II degausser.
3.1.1.2. If a degaussing capability does not exist, overwrite tapes to clear
them. Select the highest density available for the tape transport and the
largest blocking factor supported by the equipment. Verify overwrites by
randomly reading media to ensure nothing other than the overwrite character
is present.
3.1.2. Sanitizing.
3.1.2.1. Degaussing Type I, II, and III magnetic tapes is the only method
approved for sanitizing this media. Use a Type I degausser to sanitize Type
I tapes or a Type II degausser for Types I & II tapes. Refer to NSA’s
Degausser Products List (DPL) for availability of Type III (extended range--above
750 Oersteds (Oe).) degaussers that are capable of sanitizing Type III tapes.
NOTE. It isn’t possible to distinguish Type I (coercivity between 0
and 350 Oe), Type II (coercivity between 350 to 750 Oe) and Type III (coercivity
above 750 Oe) magnetic tapes from each other by physical appearance. Mark
or label each tape with its type at the time of receipt so it can be properly
sanitized in the future. Do not remove or cover the label until destruction
of the tape.
3.1.2.2. Remove all classified labels or markings from the reel or cassette.
Declassify the media after observing the organization’s respective
validation and review procedures. Remove all classified labels or markings
from the reel or cassette.
3.1.3. Destroying.
3.1.3.1. Dispose of classified magnetic tapes by burning the tape in an approved
incinerator according to procedures established for the controlled destruction
of classified materials. Preparatory steps such as segregation of components
(tape and reels) may be necessary to comply with the requirements of the
destruction facility.
3.1.3.2. Dispose of unclassified magnetic tapes as described in paragraph
3.1.3.1 above. However, procedures established for the economic disposal
of unclassified materials shall be observed (i.e., use of an approved commercial
facility).
3.2. Floppy Disks, Diskettes, and Magnetic Cards.
3.2.1. Clearing. Clear flexible magnetic media and cards by overwriting or
degaussing. Overwrite all addressable locations at least one time with a
single character. Degauss flexible media using either a Type I or hand-held
degaussing wand.
3.2.2. Sanitizing. Degauss flexible magnetic media with a Type I or Type
II degausser. Remove all classification labels and markings which indicate
previous use or classification. Declassify the media after observing the
organization’s respective validation and review procedures. Remove all
classification labels and markings which indicate previous use or classification.
3.2.3. Destroying. The relative low unit cost and small physical size of
classified floppy disks and magnetic cards makes incineration the most effective
disposal mechanism. It is prudent security practice to degauss floppy disks
and magnetic cards before submitting them for disposal.
3.3. Sealed Disk Drives, Hard Disks, Hard Drive Assemblies (HDA), Bernoulli
Cartridges, and PC (Memory) Cards. These devices are widely used for the
storage of digital information. Unlike magnetic magnetic tape and floppy
disks, where the read/write heads come in direct contact with the recording
media, sealed disk drives contain rigid magnetic media and implement a "flying
head" arrangement where the read/write head is designed to float above the
surface of the recording media. A "head crash" means that the heads have
contacted the media, resulting in catastrophic system failure and permanent
damage to both the heads and the recording media. Functioning sealed drives
may be cleared by employing an overwrite procedure. Sanitization of
non-functioning classified drives can be accomplished by bulk degaussing
the entire disk pack assembly or by opening and disassembling the disk drive
and erasing the enclosed platters with an approved degausser.
3.3.1. Clearing. Functioning sealed drives and Bernoulli cartridges may be
cleared by overwriting all addressable locations with binary zeros (i.e.,
0000 0000) then binary ones (i.e., 1111 1111). Then, overwrite all addressable
locations with any character (i.e., "a"). Verify the overwrite procedure
by randomly re-reading (recommend 10%) the overwritten information to confirm
that only the overwrite character can be recovered. This media may also be
cleared using a Type I1 degausser.
3.3.2. Sanitizing. Sealed disk drives willshall be sanitized by either
overwriting or degaussing. Bernoulli cartridges will be sanitized by degaussing
only. Use the following as guidance:
3.3.2.1. Functioning sealed drives may be sanitized by performing three overwrite
cycles of all addressable locations. Afterwards, overwrite all addressable
locations with any character (i.e., "a"). Verify the overwrite procedure
by randomly re-reading (recommend 10%) from the drive to confirm that only
the overwrite character can be recovered.
3.3.2.2. Degauss by either bulk erasing the disk in an approved degausser
or by disassembling the hard disk and erasing the enclosed platters with
a hand-held degaussing wand. NOTE: Magnetic media made of barium ferrite
may not be degaussed. Declassify the media after observing the
organization’s respective validation and review procedures. This media
must be destroyed.
3.3.2.2.11. Sanitization by BBulk Erasure. 1) remove the hard drive from
the chassis or cabinet; 2) remove any steel shielding materials or mounting
brackets which may interfere with magnetic fields; 3) place the hard disk
drive in an approved large cavity degausser and erase at the required field
setting. NOTE. The bulk erasure of sealed hard drives may cause damage (i.e.,
loss of timing tracks) that may prohibit its continued use. The decision
to bulk erase should be considered on a case-by-case basis.
3.3.2.2.2. Sanitization with Degaussing Wand. Sanitization of sealed disk
drives may be accomplished by disassembling the disk pack and erasing all
surfaces of the enclosed platters with an approved hand-held degaussing wand.
Cover the hand-held magnet with a lintless tissue, wiping cloth, or layer
of thin plastic as a means of preventing damage to the recording surface.
Wipe each active surface (top and bottom) at least three times with the magnet.
NOTE. The disassembly of the sealed drive and the degaussing of the platters
will cause damage (loss of timing tracks, bent head armatures or damaged
recording surfaces) that may prohibit its continued use. The decision to
disassemble disk drives should be considered on a case-by-case basis.
3.3.2.3. Declassify the media after observing the organization’s respective
validation and review procedures.
3.3.3. Destroying. Sealed disk drives may be released for disposal or repair
after sanitization procedures have been completed. Unclassified platters
removed from nonfunctional drives will not exhibit information regarding
their previous use or classification; therefore they may be disposed of by
using approved procedures for destruction or disposal of unclassified metal
waste. Techniques which remove recording surface (e.g., grinding or chemically
etching the oxide surface) prior to disposal do not enhance security and
are unnecessary. The chassis and electronic hardware from the unclassified
disassembled disk drive may be disposed of using the appropriate procedures
established for unclassified equipment.
3.4. Removable Disk Packs.
3.4.1. Clearing. Removable disk packs may be cleared by means of an overwrite
cycle, in accordance with procedures described for sealed disk drives (see
paragraph 3.3). An alternative method to clear disk packs is to degauss the
recording surfaces of all platters with an approved large cavity degausser
or a hand-held degaussing wand (see paragraph 3.3.2.2).
Deguassing will remove all information from the platters, including timing
(servo) tracks, and may require the disk pack to be initialized prior to
re-use. Care should be taken to prevent disturbing the platter alignment
or recording surfaces. Note. The decision to re-use multi-platter disk packs
cleared by means of erasing with an approved degausser should be considered
on a case-by-case basis.
3.4.2. Sanitizing. Removable disk packs shall be sanitized in accordance
with the procedures described for sealed disk drives (see paragraph 3.3.2).
Declassify the media after observing the organization’s respective
validation and review procedures.
3.4.3. Destroying. Removable disk packs may be released for disposal or repair
after sanitization procedures have been completed. Due to the design of removable
disk packs and the potential for limitations in disposal facilities, separate
processing procedures have been established for assembled and disassembled
disk packs.
3.4.3.1. Disassembled Disk Packs. Unclassified platters from disassembled
disk packs will not exhibit information regarding their previous classification;
therefore, they may be destroyed at an approved metal destruction facility.
3.4.3.2. Assembled Disk Packs. Disposal of disk packs that have been sanitized,
but not disassembled, shall be accomplished by following the procedures
established for the economic disposal of unclassified materials. Preparatory
steps such as removing the recording media from the platter surfaces, mutilating
the platters or disassembly prior to destruction do not enhance security
and are unnecessary. Segregation of components (i.e., separate metal from
plastics) may be necessary to comply with the requirements of the destruction
facility. See warning:
Warning. The information associated with the release or disposal of a large
volume of disk packs by a particular organization or facility may be considered
sensitive. Disposal procedures should protect this sensitivity.
3.5. Magnetic Drums. Clear, sanitize, and destroy this media according to
established procedures for sealed disk drives (see paragraph 3.3).
MAGNETIC MEMORY DEVICES
4. General. This chapter contains remanence security procedures for core,
plated wire, thin magnetic film, and magnetic bubble memory. Refer to attachment
4 for a summary of clearing, purging, and destroying procedures.
4.1. Core Memory.
4.1.1. Clearing. Clear core memory by overwriting or degaussing. Overwrite
all addressable locations with binary zeros (i.e., 0000 0000) then binary
ones (i.e., 1111 1111), then with any character (i.e., "a"). Degauss with
a large cavity degausser, as described in paragraph 3.3 for sealed disk drives
using a Type I degausser or hand-held magnetic degaussing wand. NOTE. Attenuation
of the magnetic field due to chassis shielding and separation distance are
factors which affect erasure performance and should be considered. All steel
shielding materials (e.g., chassis, case or mounting brackets) should be
removed before degaussing.
4.1.2. Sanitizing. Sanitize core memory according to procedures described
for sealed disk drives (paragraph 3.3.2).
4.1.3. Destroying. Recommended destruction techniques for core memory units
include pulverizing, smelting, or disintegrating the core arrays. When practical,
the outer chassis and electronic circuit boards should be removed from the
core memory unit to optimize the performance of the destruction device.
4.2. Plated Wire Memory.
4.2.1. Clearing. This memory cannot be cleared if the stored information
was undisturbed for more than 72 hours. Clear this memory, which stored sensitive
information less than 72 hours, by using the overwrite procedure described
for magnetic core memory (paragraph 4.1.1). It should remain undisturbed
with the random unclassified data stored for at least 72 hours. Temperatures
during this period should match or exceed those present when it stored classified
information.
4.2.2. Sanitizing. Plated wire memory cannot be sanitized if the information
was undisturbed for more than 72 hours. This media retains the highest
classification previously recorded, until destruction. Sanitize plated wire
memory, which stored sensitive information less than 72 hours, by using the
overwrite procedure described for magnetic core memory (paragraph 4.2.1).
It should remain undisturbed with the random unclassified data stored for
at least 72 hours. Temperatures during this period should match or exceed
those present when it stored classified information. Declassify the media
after observing the organization’s respective validation and review
procedures.
4.2.3. Destroying. Pulverize, smelt, incinerate, , etc. or use other means
to ensure the media is physically destroyed.
4.3. Thin Magnetic Films. This memory shall be cleared, sanitized, and destroyed
according to procedures for sealed disk drives (paragraph 3.3).
4.4. Magnetic Bubble Memory.
4.4.1. Clearing. Clear magnetic bubble memory by overwriting according to
procedures for sealed disk droives (paragraph 3.3.1).
4.4.2. Sanitizing. Sanitize magnetic bubble memory according to procedures
described for sealed disk drives (paragraph 3.3.2). An alternative
sanitizingpurge technique is to cause the collapse of the magnetic bubbles
by either degaussing the bubble array (use a Type I degausser) or raising
the magnetic bias field. Bubble memory units with built-in magnetic bias
field controls may be sanitized by raising the bias voltage to levels sufficient
to collapse the magnetic bubbles.
Note. Magnetic bubble memory units may be sanitized by degaussing the bubble
memory device with an approved degausser; however, care must be taken to
ensure that the field (at least 1500 gauss) of the degausser is applied to
the actual bubble array. All shielding must be removed from the circuit card
and/or bubble memory device before degaussing.
4.4.3. Destruction. Disposeal of magnetic bubble memory units shall be
accomplished using procedures for sealed disk drives (paragraph 3.3.3).
SEMICONDUCTOR DEVICES
5. General. This chapter contains remanence security procedures for ROM,
PROM, EPROM, UVPROM, EEPROM, EAROM, flash memory, volatile and nonvolatile
semiconductor memory, RAM, battery-backed RAM, and SRAM. Refer to attachment
4 for a summary of clearing, sanitizing, and destroying procedures. See warning:
WARNING: PC Cards and PCMCIA Cards may contain multiple, non-contiguous,
similar or dissimilar, storage media. This may include Static RAM, Flash,
DRAM, ROM, PROM, EPROM, EEPROM, and magnetic hard disks. This presents CSSOs
and DAAs with a formidable task when clearing, sanitizing, removing
classification, or declassification of the storage media. Each type of memory
has procedures that must be followed to render the information it contains
irretrievable.
WARNING. Do not sanitize nonvolatile semiconductor memory that you cannot
purge. Destroy them.
5.1. Electrically Erasable Programmable Read Only Memory (EEPROM) and
Electrically Alterable Read Only Memory (EAROM).
5.1.1. Clearing. Erase EEPROM and EAROM on- or off-circuit. Software that
controls the EEPROM (i.e., PC Card) must not be active (running) during the
erasure. Each manufacturer provides mechanisms for writing commands to place
these units into Erase, Program, and Verify modes. In addition, the manufacturer
may have its own programming algorithms, protocols, and erase unit sizes.
Use the erase procedures provided by the manufacturer. Normally, this procedure
would include pulsing the erase control gate, and verifying the erasure.,
Tthen, overwriting all bit locations with arbitrary unclassified data.
5.1.2. Sanitizing. Sanitize the media using the same procedures as in paragraph
5.1.1. Declassify the media after observing the respective organizations
verification and review procedures.
5.1.3. Destroying. Smelt, incinerate, disintegrate, or use another appropriate
mechanism to insure the media is physically destroyed.
5.2. Erasable Programmable Read Only Memory (EPROM) and Ultraviolet Programmable
Read Only Memory (UVPROM).
5.2.1. Clearing. Whenever possible, erase EPROM and UVPROM off-circuitline.
Perform an ultraviolet light erase according to manufacturer’s
recommendations, but increase the time requirement by a factor of three.
Next, overwrite all bit locations with arbitrary unclassified data.
5.2.2. Sanitizing. Sanitize EPROMs or UVPROMs by exposing them to an ultraviolet
light eraser for a minimum time equal to three times the manufacturer’s
recommendations. Then load all positions with zeros. Verify by randomly reading
the information loaded in the EPROM or UVPROM. Declassify the media after
observing the organization’s respective validation and review procedures.
5.2.3. Destroying. Smelt, incinerate, disintegrate, or use other appropriate
mechanism to insure the media is physically destroyed.
5.3. Flash Memory. Flash memory is a specific family of EEPROM. They require
special algorithms and protocols for writing to the storage media.
5.3.1. Clearing. Clear them as described in paragraph 5.1.1.
5.3.2. Sanitizing. Sanitize them as described in paragraph 5.2.11.2.
5.3.3. Destroying. Smelt, incinerate, disintegrate, or use another appropriate
mechanism to make sure the media is physically destroyed.
5.4. Programmable Read Only Memory (PROM).
5.4.1. Clearing. No procedures exist for clearing PROM.
5.4.2. Sanitizing. No procedures exist for sanitizing PROM.
5.4.3. Destroying. Smelt these devices in an approved furnace at 1600 ºC.
5.5. Read Only Memory (ROM).
5.5.1. Clearing. No procedures exist for clearing ROM.
5.5.2. Sanitizing. No procedures exist for sanitizing ROM.
5.5.3. Destroying. Smelt, incinerate, disintegrate, or use other appropriate
mechanism to insure the media is physically destroyed.
5.6. Random Access Memory (RAM), Battery-Backed RAM, Dynamic RAM (DRAM),
and Static RAM (SRAM).
Caution: If a source of power is a battery, consult the manufacturer’s
technical guidance to determine what affect removing the battery will have
on other system functions (i.e., BIOS).
5.6.1. Clearing. Remove all power, including batteries and capacitor power
supplies for the RAM circuit board for a minimum of 60 seconds.
5.6.2. Sanitizing. If RAM is functioning, clearpurge these storage media
as follows: 1) overwrite all locations with binary zeros (i.e., 0000 0000),
then with binary ones (i.e., 1111 1111), then with a random character; 2)
remove power, (including batteries and capacitor power supplies from RAM
circuit board. If RAM is not functioning, sanitize as follows: 1) perform
three power on/off cycles (60 seconds on, 60 seconds off each cycle at a
minimum); 2) remove all power, including batteries and capacitor power supplies
from the RAM circuit board.
5.6.3. Destroying. Smelt, incinerate, disintegrate, or use another appropriate
mechanism to insure the media is physically destroyed.
OPTICAL STORAGE MEDIA
6. General. This chapter contains remanence security procedures for readable,
writable, and erasable optical disks. Refer to attachment 4 for a summary
of clearing, sanitizing, and destroying procedures.
6.1. Read Only Optical Disks (CD-ROM).
6.1.1. Clearing. Read only optical media retains information written to it
by the originator and can not be cleared. These media retain their original
sensitivity until destroyed.
6.1.2. Sanitizing. Read only optical media retain information written to
it by the originator and can not be sanitized. These media retain its original
classification until destroyed.
6.1.3. Destroying.
6.1.3.1. Burn classified CD-ROMs except those made by SONY. SONY CD-ROMs
are toxic and not recommended for burning.
6.1.3.2. Use installed incinerators for the destruction of classified CD-ROMs.
Classified CD-ROMs are considered as plastic and are destroyed in accordance
with local air quality regulations and the manufacturer’s and
maintainer’s recommendations for the specific incinerator installed
at your unit. Follow all safety precautions.
6.1.3.3. If a burn facility is not available and the volume of classified
CDs becomes a storage or security concern, mail them to: NSA L322, Ft G Meade,
MD 20755, for destruction. Mail SONY CD-ROMs to the same address. Make sure
classified mailing is done according to the procedures detailed in DoD Regulation
5200.1, Information Security Program Regulation, and AFI 33-401.
6.2. Write Once, Read Many (WORM) Optical Disks. WORM optical memory may
have a remanence problem depending on the recording method. Users can write
data to WORM disks once, then cannot alter or remove the data.
6.2.1. Clearing. Sensitive information written to WORM disks can not be cleared.
WORM disks retain their highest sensitivity until destroyed.
6.2.2. Sanitizing. Sensitive information written to WORM disks cannot be
sanitized;. WORM disks retain their highest classification until destroyed.
6.2.3. Destroying. Destroy this media according to the procedures for read-only
optical disks (paragraph 6.1.3).
6.3. Erasable Optical Disks. This is media that you can read from and write
to any number of times.
6.3.1. Clearing. Clear this media by overwriting all addressable locations
with binary zeros (i.e., 0000 0000) then binary ones (i.e., 1111 1111), then
with any random character (i.e., "a"). overwriting all addressable locations
with binary 1’s. Verify the clearing process by randomly reading the
information. The disk was successfully cleared if you can only read the random
character (i.e., "a").
6.3.2. Sanitizing. Sanitizing by overwrite is not considered adequate. Therefore,
erasable media cannot be sanitized.
6.3.3. Destroying. Destroy this media according to the procedures for read-only
optical disks (paragraph 6.1.3).
SYSTEM COMPONENTS, PRINTERS, AND OUTPUT MEDIA, AND REMOVABLE MEDIA
7. General. This chapter contains remanence security procedures for numerous
AIS components, equipments, and by products including laser printers, printing
systems, printer components and by-products (paper, ribbons, platens, etc.),
ferro-electric and ferro-optical storage, wafers, chips, packaged circuits,
and glass masks.
7.1. Display Devices. Included in this category are CRTs, picture tubes,
fluorescent screen devices, and image tubes/displays (e.g., photo-electric,
optical, plasma). Consider display devices declassified if, after visual
inspection, it is determined that no classified information has been etched
into the display. If there is any doubt after inspection of the screen, the
display should be highlighted by filling the screen with vectors to create
a raster effect to light up the entire screen. Any burns or uneven illuminations
of the phosphor coatings that could be considered compromising should be
easily detectable. Defective display devices that cannot be sanitized of
classified information shall be destroyed as classified waste.
7.2. Ferro-Electric Memory and Ferro-Optical Storage. Clear them by overwriting
all addressable locations with any alpha-numeric character. Do not
sanitize ferro-electric memory and ferro-optical storage. Downgrade or declassify
the information according to AFI 31-401 or the applicable governing security
directive. Destruction procedures for ferro-electric memory are in paragraph
5.4.3 and for ferro-optical storage in paragraph 6.17.3.
7.3. Laser Printers/Printing Systems. Laser printers and printing systems
present some unique remanence problems because they combine several forms
of technology. They may contain a laser printer engine, a central processing
unit (CPU), CPU RAM, RAM buffers, PROM, EPROM, EEPROM, hard and floppy disks,
optical disks, drum transfer technology, video monitors, etc. Consequently,
users must know the components of their laser printer or printing systems
and apply appropriate remanence security procedures. Contact your Wing IP
Office, MAJCOM IP Office, or HQ AFCA/SYS when you encounter any situation
not covered by this instruction. The following guidelines apply specifically
to laser printers and printing systems:
NOTES:
1. Clear and sanitize semiconductor memory (RAM, PROM, EPROM, etc.) according
to procedures in chapter 5.
2. Unless there is an NSA evaluated or Air Force assessed hardware/software
mechanism that prevents writing to the floppy or hard disk, classify and
protect the hard disk at the highest classification processed. If the hard
disk is not removable, protect the laser printer as required in AFI 31-401
for open storage of classified information. If the hard disk is removable,
secure it appropriately when it is not under the control or surveillance
of an authorized person. Clearing and sanitizing procedures for floppies
and hard disks are in chapter 3.
7.3.1. Clearing. Printers and printing systems that process classified must
be located in an area where it is under constant control or surveillance
by authorized persons. At the end of each duty day, clear the system. Clear
the drum by running three blank copies. If any images are printed, protect
the output at the highest classification processed. Repeat the process. If
unable to get a clean output, print an unclassified test pattern or black
copy; then run three blank copies. If the output is anything other than a
blank copy, an image of the unclassified test pattern, or a black copy, protect
the printer/system at the highest classification processedwas not successfully
cleared. Destroy the clearing copies as classified waste.
7.3.2. Sanitizing. Laser printers use a replaceable toner cartridge with
a platen (drum) that may retain classified images. Therefore, all laser printer
toner cartridges used to process classified information are considered classified
until sanitized and/o or destroyed. Used cartridges must be removed prior
to the removal of a laser printer from its controlled environment (e.g.,
shipment, maintenance). Additionally, used cartridges must be sanitized prior
to turn-in for reutilization by refurbishing/remanufacturing. Sanitization
procedures are:
7.3.2.1. In the continental United States (including Alaska and Hawaii),
used toner cartridges may be treated, handled, stored, and disposed of as
unclassified, if, at a minimum, at least five full pages of unclassified,
randomly generated text are run through the machine before the cartridge
is removed. These pages should not include any blank spaces or solid black
areas. Destroy the clearing copies as classified waste.
7.3.2.21. In overseas locations, apply the sanitization measure described
in paragraph 7.3.2.1 and score the cartridge platen with an abrasive substance
(e.g., sandpaper, etc.), to further reduce the opportunity for image recovery.
On the underside of the cartridge there is a slide cover that protects the
platen/drum. Slide the cover open to expose the platen, a long cylindrical
shaped object covered with a rubbery plastic coating. Lightly sand back and
forth across the platen just enough to destroy the surface. Turn the platen
using the exposed gear on the end. Continue to sand and turn the platen until
the entire surface is destroyed.
7.3.5. Procedures for clearing and sanitizing PROM, EPROM, and EEPROM are
in chapter 5.
7.4. Impact Printer Ribbons. Application of the following guidelines will
provide protection without incurring undue expense, unnecessarily disrupting
operations, or damaging the equipment.
7.4.1. Treat printer ribbons used to print classified information as classified
until overwritten at least five consecutive times with unclassified data.
Treat a ribbon as unclassified when the printer strikes the ribbon at least
five times in the same place before moving to the next position.
7.4.2. Unless the area is approved for open storage of classified information,
remove and secure classified printer ribbons during unattended periods (e.g.,
after duty hours, when positive control cannot be maintained).
7.4.3. Re-ink printer ribbons for additional use if it is economical. Overwrite
the ribbon as described in paragraph 7.4.1 prior to releasing it for re-inking.
7.4.4. Remove ribbons before releasing printers to a vendor or DoD property
disposal channels.
7.4.5. Destroy ribbons by burning, pulverizing, or chemical means.
7.5. Equipment. If the equipment contains buffer memory, registers, or other
storage media, clear them according to the appropriate procedures prior to
reuse, transfer, or disposal.
7.6. Paper Materials. Destroy by pulverizing, crosscut shredding, or burning.
Pulverized products residue size must not exceed pieces 5 mm. Shredded products
residue size must not exceed pieces 3/64 x 1/2 inches. Reduce residue of
burned products to white ash.
7.7. Wafers and Chips (unmounted). Destroy by using one of the following:
7.7.1. Brinkman Instruments Model ZM-1 Centrifugal Grinding Mill with 0.12mm
pore-size sieve (75 microns or less),
7.7.2. Molten sodium hydroxide (600 ºC), or
7.7.3. Hydrofluoric and nitric acid (HF and HNO3) in 1:1 ratio.
CAUTION: Do this procedure in a well-ventilated area; personnel must wear
eye protection.
7.8. Packaged Circuits:
7.8.1. Molten sodium hydroxide (600 ºC) or
7.8.2. Hydrochloric and nitric acid (HCL and HNO3) in 1.5:1 ratio, then HF
and HNO3 in 1:1 ratio.
CAUTION: Do this procedure in a well-ventilated area; personnel must wear
eye protection.
7.9. Glass Masks:
7.9.1. (Emulsion Glass Masks). Destroy in 5 percent sodium hypochlorite (common
household bleach) by total immersion.
7.9.2. Chrome Glass Masks (Chrome). Destroy by smelting at 1040 ºC.
RONALD G. GOESSMAN
Chief, Information Protection Division
References
DoD Regulation 5200.1, Information Security Program Regulation
AFI 31-401, Information Security Program Management
NCSC-TG-025, Version 2, A Guide to Understanding Data Remanence in Automated
Information Systems
NCSC-TG-026, Version 1, A Guide to Writing the Security Features User’s
Guide
NSA MANUAL 130-2, Media Declassification and Destruction Manual
Abbreviations and Acronyms
AFSSI Air Force System Security Instruction
AIS Automated Information System
C4 Command, Control, Communications and Computer
CDROM or CD-ROM Read Only Optical Disks
COMPUSEC Computer Security
COMSEC Communications Security
CPU Central Processing Unit
CRT Cathode Ray Tube
CRYPTO Cryptographic
CSSO Computer Systems Security Officer
DAA Designated Approving Authority
DPL Degausser Products List
EAROM Electronically Alterable ROM
EEPROM Electrically Erasable PROM
EPROM Erasable Programmable Read Only Memory
IP Information Protection
NATO North Atlantic Treaty Organization
NCSC National Computer Security Center
NSA National Security Agency
Oe Oersted
OPR Office of Primary Responsibility
PROM Programmable Read Only Memory
RAM Random Access Memory
ROM Read Only Memory
SAR Special Access Required
SBU Sensitive but Unclassified
SCI Sensitive Compartmented Information
SF Standard Form
SIOP Single Integrated Operational Plan
SRAM Static Random Access Memory
TCB Trusted Computing Base
UVPROM Ultraviolet Programmable Read Only Memory
WORM Write Once, Read Many Optical Disks
Terms
Automated Information System--Any equipment or interconnected system or
subsystems orf equipment that is used in the automatic acquisition, storage,
manipulation, management, movement, control, display, switching, interchange,
transmission, or reception of data and includes software, firmware, and hardware.
NOTE: The term "AIS" includes stand-alone systems, communications systems,
and computer network systems of all sizes, whether digital, analog, or hybrid;
associated peripheral devices and software; process control computers; security
components; embedded computer systems; communications switching computers;
Personal Computers; workstations; microcomputers; intelligent terminals,
word processors; automated data processing (ADP) system; office automation
systems; application and operating system software; firmware; and other AIS
technologies, as developed.
Clearing--Removal of data from an AIS and its storage media in such a way
that the data may not be reconstructed using normal system capabilities (i.e.,
through the keyboard). Note: An AIS need not be disconnected from any external
network before clearing takes place. Clearing enables a product to be reused
within, but not outside of, a secure facility. It does not produce a declassified
product.
Coercive Force--Negative or reverse magnetic force applied to reduce magnetic
flux density. For example, the force applied to magnetic media by a degausser.
Coercivity--Amount of applied magnetic field (of opposite polarity) required
to reduce magnetic induction to zero. Coercivity is measured in oersteds
(Oe). It is often used to represent the relative difficulty of degaussing
various magnetic media.
Declassification--Administrative decision or procedure to remove or reduce
the security classification of the subject media.
Dedicated Security Mode--AIS security mode of operation wherein each user,
with direct or indirect access to the system, its peripherals, remote terminals,
or remote hosts, has all the following: 1) valid security clearance for all
the information within the system, 2) formal access approval and signed
non-disclosure agreements for all the information stored and/or processed
(including all compartments, subcompartments, and/or special access programs),
3) valid need-to-know for all information contained within the AIS.
Degauss--Destroy information contained in magnetic media by subjecting that
media to high-intensity alternating magnetic fields, following which the
magnetic fields slowly decrease.
Degausser--Electrical device or hand-held permanent magnet that can generate
a high intensive magnetic field to sanitize magnetic storage media.
Designated Approving Authority (DAA)--Official with the authority to formally
assume responsibility for operating an AIS or network within a specified
environment.
Dynamic Random Access Memory (DRAM)--A random access data storage method
in which the memory cells require periodic electrical refreshing to avoid
loss of data held. DRAM that is erasable and reprogrammable. DRAM will lose
its contents when the power is removed (volatile memory).
Electrically Erasable Programmable Read-Only Memory (EEPROM)--A special kind
of ROM that can be electrically erased and reprogrammed. It can be erased
by an electrical signal rather than by exposure to ultraviolet light.
Erasable Programmable Read-Only Memory (EPROM)--ROM that is erasable and
reprogrammable. This type of ROM is usually erased off-circuit, usually by
exposure to an ultra-violet light source.
Flash--A specific family of EEPROM devices that hold their content without
power. It can be erased in fixed blocks rather than single bytes. Block sizes
range from 512 bytes up to 256 kB.
Information--Data derived from observing phenomena and the instructions required
to convert that data into meaningful information. NOTE: Includes operating
system information such as system parameter settings, password files, audit
data, etc.
Level-of-Protection--Established safeguards with controls to counter threats
and vulnerabilities based on the security requirements. Assures availability,
integrity, and confidentiality of the C4 system.
Magnetic Media--Media used to store computer data using magnetic force. There
are currently three types of magnetic media. They are defined based on their
coercivity as: (1) Type I: Media whose coercivity is no greater that 350
Oe. (2) Type II: Media whose coercivity lies in the range of 351 to 750 Oe.
(3) Type III: Media whose coercivity is 751 Oe or higher.
Magnetic Oxide--Surface coating (iron oxide) employed on magnetic media.
It is sensitive to magnetic forces and allows the media to retain data in
the form of discreet magnetizations.
Magnetic Remanence--Magnetic representation of residual information that
remains on a magnetic medium after the magnetizing force is removed.
Object Reuse--Reassignment of a storage medium (e.g., page from, disk sector,
magnetic tape) that contained one or more objects, after making sure no residual
data remained on the storage medium.
Oersted--The unit of measure of the magnetizing force necessary to produce
a desired magnetic flux across a surface.
Overwriting Cycle--An overwrite program writes to every addressable location
(including bad sectors, file allocation tables, the space between the end
of file and the end of a sector or block, etc.) on the media for the number
of consecutive cycles necessary for that storage medium. Note: An example
of an overwrite cycle is writing a binary zero (i.e., 0000 0000) to each
location (byte), then writing its complement binary one ( i.e., 1111 1111).
At the end of the required number of cycles, an alphabetic character (such
as "a") should be written to each location.
PC Card--A memory or Input/output card claiming compatibility with the PCMCIA
card standards. These devices carry out PCMCIA functions requiring Memory,
I/O, and/or IRQ resources.
Personal Computer Memory Card International Association (PCMCIA)--The
organization of marketing and engineering professionals that defines the
architecture of PCMCIA. Also used to refer to the technology.
Periods Processing--Processing of various levels of classified and unclassified
information at distinctly different times. NOTE: Under periods processing,
the AIS (operating in dedicated security mode) is cleared or sanitized (as
appropriate) afterof all information from one processing period before
transitioning to the next when there are different users with different
authorizations.
Programmable Read-Only Memory--ROM that can be programmed (written to) once,
but not reprogrammed.
Purging--The removal of data from an AIS and its storage media in such a
way as to provide assurance that the data is unrecoverable by
technical means. Purging is the first step in removing classification
from media. The other two steps are review of the media, and administrative
removal of security classification markings and controls. (See clearing)
Residue--Data left in storage after automated information processing
operations are complete, but before degaussing or overwriting has taken place.
Retention Properties--Data left in storage after degaussing or overwriting
has taken place.
Random Access Memory (RAM)--The general category of all storage media whose
power must remain constant in order to maintain its contents.
Read-Only Memory (ROM)--Memory unit in which instructions or data isare
permanently stored for use by the machine or for reference by the user. The
stored information is read out non-destructivelynondestructively, and no
information can subsequently be written into the memory.
Sensitive Information (SI)--Information, the loss, misuse, or unauthorized
access to or modification of which could adversely affect the national interest
or the conduct of Federal programs, or the privacy to which individuals are
entitled under Title 5, United States Code, Section 552a (the Privacy Act),
but not specifically authorized under the criteria established by an executive
order or an act of Congress keeping it secret in the interest of national
defense or foreign policy. NOTE: Protect systems that are not national security
systems, but contain sensitive information according to the requirements
of the Computer Security Act of 1987 (P.L. 100-235).
Sanitizing--the removal of information from AIS storage media such that data
recovery using known techniques or analysis is prevented. Sanitizing includes
the removal of data from the media (purging), verification of the purging
action, and removal of all classification labels and markings. Properly sanitized
media may be subsequently declassified upon observing the organization’s
respective verification and review procedures.
Static Random Access Memory (SRAM)--A type of RAM that can be sustained with
a battery.
Storage Media--Material used to store data, such as tape reels and floppy
diskettes.
Type I Degausser--Equipment rated to degauss magnetic media having a nominal
coercivity of 350 oersteds or less.
Type II Degausser--Equipment rated to degauss magnetic media having a nominal
coercivity of 750 oersteds or less.
Type II Extended Range Degausser--Equipment rated to degauss magnetic media
having a nominal coercivity of 900 oersteds or less.
Type III Degausser--Equipment rated to degauss magnetic media having a nominal
coercivity of 1700 oersteds or less.
A2.1. Risk Awareness. Air Force policy is to safeguard sensitive data, no
matter what the storage or transmittal mediaum. Safeguarding sensitive
information in computer memory and storage media is particularly important
during routine maintenance, product end of life, and reuse. Computer security
personnel, operations personnel, and other responsible persons must be aware
of the risk factors before sanitizing purging AIS storage media and releasing
them from the controlled environment. Computer system security officers (CSSOs)
must allow only authorized and properly cleared persons access to computer
storage containing sensitive information to ensure that sensitive information
is not compromised. The CSSO should anticipate and plan for temporary or
outright release of storage media or entire systems containing storage media.
A history of the use and maintenance of the system and its components can
provide evidence on which to base security determinations.
A2.2. Risk Considerations. When determining risk, consider the following
two basic threats to computer stored data:
A2.2.1. Keyboard Attack. Keyboard attacks use system resources and utilities
to extract information. You can defeat keyboard attacks by clearing
the system or storage media to make information unusable to a subject using
normal system capabilities.
A2.2.2. Laboratory Attack. Laboratory attacks use sophisticated signal recovery
equipment on specific system components in a laboratory environment
to recover stored information. Defeat laboratory attacks by purging
the information from the system or storage media, leaving it unrecoverable
to a level commensurate with its sensitivity. Purging is especially important
during maintenance (whether routine or otherwise). Purge information and
remove the classification from the device before allowing maintenance by
uncleared personnel. If this is not possible and destroying the device is
prohibitively expensive, an individual knowledgeable of possible improper
actions must observe the maintenance. For example, when a sensitive disk
drive is serviced, the observer should ensure that the maintenance person
does not walk off with a system board or an unpurged disk.
A2.3. Risk Assessment. When assessing the risk of releasing AIS storage media
from the secure environment, the CSSO must develop procedures that would
result in an acceptable level of risk. At a minimum, consider the following
threats:
A2.3.1. Compromise while moving from one site to another.
A2.3.2. Releasing classified (unsanitized) storage media for replacement
or repair unless the repair agency has personnel and facilities with proper
clearances.
A2.3.3. Returning classified storage media to a vendor. A storage unit returned
to a vendor’s inventory could wind up with any computer system user,
foreign or domestic government, commercial, or civilian.
A2.3.4. Allowing temporary use of classified systems by uncleared personnel.
A2.3.5. Contracts requiring the return of leased equipment containing AIS
storage media to the vendor. Before leasing, determine if the vendor will
allow purging or removing AIS storage media before returning the equipment.
If the lease requires the vendor to remove magnetic storage media, closely
supervise any uncleared vendor personnel. The CSSO should brief escorts on
their responsibilities while escorting uncleared maintenance personnel. Document
specific escort responsibilities in a local directive.
A2.4. Risk Assessment Factors. The CSSO must assess the risks before deciding
whether to purge, remove classification and release storage media; clear,
retain and reuse them; or destroy them. They should consider the following
and any other pertinent information before deciding:
A2.4.1. What percentage of the total data stored is sensitive?
A2.4.2. Is the sensitive data scattered or predictably located and concentrated
in the storage device?
A2.4.3. How frequently is the data changed or relocated in the storage device?
A2.4.4. Are some combinations of the application program, data, or system
software more sensitive than others? If the system software, application
programs, and data are not equally sensitive, concern about the relocation
and term of residence would vary accordingly.
A2.4.5. How much compromise results if a segment on a storage device is not
receptive to purging? (Distribution or fragmentation of the data may make
it meaningless.)
A2.4.6. A storage device with a history of mechanical faults (such as
misalignment of read and write heads) may reduce the effectiveness of thean
overwrite procedure.
A2.4.7. Tracks or sectors that become bad during the operation of a drum
or disk may lose their overwrite capability. To what extent might those tracks
or sectors retain sensitive information?
A2.4.8. To what extent do maintenance and diagnostic programs or other utility
programs provide the capability to dump, review, or overwrite memory and
other storage media?
A2.4.9. To what extent do multiple user system memory allocation procedures
prevent a new user from acquiring a previous user’s data? This is important
to prevent accidental access during normal use or if a system malfunction
requires full memory reload.
A2.4.10. What is the destination of the released storage media? The risk
of compromise increases when releasing storage media outside the controlled
environment. Sophisticated signal recovery methods may recover data from
the media.
A2.4.11. The area between the end of file and the end of a block or sector
on a disk may contain classified information from previous files that were
larger. This information is recoverable and difficult to overwrite.
A2.4.12. The failure of degaussing equipment could result in all or most
of the data remaining on the magnetic media.
A2.5. Minimizing Risk. The risk of compromise to electronically stored
information is impossible to eliminate. Therefore, the DAA must ensure that
the risk is at an acceptable level. Laboratory attacks against storage media
are expensive and time consuming. By developing and using good security
procedures, staying aware of the threats to computer storage, and not allowing
the identification and targeting of sensitive storage media, we can substantially
reduce the risk of information recovery through laboratory attack. The risk
is significantly increased if the storage device is targetable by a hostile
intelligence activity, for example:
A2.5.1. Is the storage device unique or is it commonly used by many users
at different classification and sensitivity levels?
A2.5.2. Is it easily identifiable as a device that contains or once contained
sensitive information (that is, sensitivity labels)?
A2.5.3. Is it easy to determine the office, unit, or location where it was
used?
A2.5.4. Can you determine the sensitivity of the information it contains
or contained?
A2.6. Determining Acceptable Risk. The DAA and CSSO must determine what is
an acceptable risk in each case. They should consider the full range of
vulnerabilities and security implications to include: the actual loss if
an unauthorized entity extracts the residual information; the threat directed
against this information; and is the threat of recovery and the potential
for damage, if the information is compromised, great enough to justify the
cost of the protection? The actual loss may be considerably less than the
classification level would imply due to conditions, such as:
A2.6.1. Initial overclassification or perishability.
A2.6.2. Fragmentation or distribution of the data that leaves it unintelligible
or partially so
A2.6.3. Procedures that may allow downgrading, such as deleting, disassociating,
or modifying the information.
Table A3.1 contains the nominal coercivity for the kinds and brands of magnetic
media listed. It is a compilation of the information available to HQ AFCA/SYSS,
Systems Security Protection Branch, at the time of publication and is not
all inclusive. It is intended to aid you in determining your degaussing
requirements. The guidance given in the notes column is valid for that storage
medium.
Table A3.1. NOMINAL COERCIVITY FOR VARIOUS STORAGE MEDIA.
NOTES:
1. Type I Media
2. Type II Media
3. Above Type II Media
4. Degauss with Type I degausser
5. Degauss with Type II degausser
6. Degauss with Type II extended degausser
7. Degauss with Type III degausser
8. May also be cleared or purged by overwriting
X. May not be degaussed
A4.1. Use of Approved Degaussers.
A4.1.1. Use only National Security Agency (NSA) evaluated degaussers to degauss
all magnetic media containing classified information. Place special emphasis
on degaussers used for media containing more sensitive information, such
as Top Secret, SIOP, intelligence, or compartmented information. Except for
magnetic computer disks, which are Type-independent, be sure to use the
appropriate Type degausser for the media to be degaussed. When degaussing,
observe the following rules:
A4.1.1.1. Type I degaussers can only degauss Type I media. Type I degaussers
cannot degauss Type II or Type III media; this includes any media with a
nominal coercivity of greater than 350 oersteds. not degauss Type II media
and media that is above Type II is not purgeable by degaussing.
A4.1.1.2. Type II degaussers can only degauss Type I or Type II media. Type
II degaussers cannot degauss Type III; this includes any media with a nominal
coercivity of greater than 750 oersteds.
A4.1.1.3. Type II extended degaussers can only degauss Type I and Type II
media, or Type III media with a nominal coercivity of 900 oersteds or less.
Type II extended degaussers cannot degauss Type III media with a nominal
coercivity of greater than 900 oersteds.
A4.1.1.4. Type III degaussers can degauss Type I, Type II, or Type III media
with a nominal coercivity of 1700 oersteds or less.
A4.1.2. The Information Systems Security Products and Services Catalog, Degausser
Products List (DPL), contains degaussers evaluated against either the National
Security Agency (NSA) Specification L14-4-75, or the later version, L14-4-A.
Both magnetic tape degausser specifications include the applicable federal
specifications and military standards. The Information Systems Security Products
and Services Catalog is available from the Government Printing Office.
A4.1.3. The DPL requires that degausser products be tested to ensure continued
compliance with the specification. Correct testing of degaussers is performed
through a degausser certification process which tests the degausser’s
erasure level per the specifications set forth in NSA/CSS L14-4-A. NSA requires
that certifications be performed every 6 months for the first year of operation
after which they should be performed on a regular basis not to exceed 18
months. These certifications must be performed to ensure the degaussing equipment
is functioning properly.
A4.2. Non-evaluated In-Use Degaussers. Continue to use non-evaluated in-use
degaussers to clear Type I media. Use of these degaussers to purge Type I
media requires written approval from the cognizant DAA. Advise the DAA of
the kind of degausser (for example, fixed, paddle, bar permanent magnet,
electromagnet), brand, model, serial number, field strength(include the method
used to determine the field strength), and the highest classification being
degaussed. The DAA will not approve a non-evaluated degausser for use on
Type II magnetic computer or video tape, but may approve it to purge Type
I media and any magnetic computer disks if it meets the following minimum
criterions:
A4.2.1. The degausser must have a minimum field strength of 1500 oersteds
at the degaussing platform. Measure the field strength with a gauss meter.
A4.2.2. If measurement of field strength is not possible, manufacturer’s
specifications must state that the minimum field strength is at least 1500
oersteds..
NOTE: The DAA must exercise caution when approving degaussers that are not
formally evaluated for purging media. This is especially true for media
containing more sensitive information, such as Top Secret or SAR, or information
controlled by other agency rules, such as SIOP, compartmented, intelligence,
and NATO. There is a risk that degaussers not formally evaluated may not
completely purge data from the media.
A4.3. Replacement of Non-evaluated Degaussers. Users should initiate action
to replace or augment non-evaluated degaussers with degaussers listed on
the DPL.
A4.4. Procurement and Use of Degaussers. Procure only degaussers listed on
the DPL. If you cannot get an evaluated degausser and must buy a non-evaluated
degausser, your DAA must approve its purchase. Test the proposed degausser
under NSA/CSS Specification L14-4-A, Magnetic Tape Degausser, dated 31 October
1985 (or superseding specifications). Data supporting the request must include
all of the information listed in paragraph A94.2., the testing agency, test
results, and a statement telling why an evaluated degausser is not adequate
or available. Degaussers not listed on the DPL, or not yet formally evaluated
under NSA/CSS Specification L14-4-A are not approved for use with Type II
magnetic computer or video tape.
A4.5. Malfunctioning Degaussers. The degausser owner should immediately
contact the degausser vendor or a degausser repair service any time the degausser
is suspected of not performing properly. After repair, certify that the degausser
operates within the limits established by NSA/CSS Specification L14-4-A before
using it to degauss classified media. If unable to locate a source for this
certification, contact HQ AFCA/SYS.
DAA GUIDE TO SANITIZING CONTAMINATED SYSTEMS/NETWORKS
A5. General. The information provided in this attachment is not policy. It
is intended to assist DAAs in making sound decisions quickly after information
of a higher classification inadvertently contaminates their system or network.
The DAA should also consult attachment 52 before making the decision on how
to proceed with sanitizing the affected system(s).
A5.1. Determining What and How to Purge. Network AISs may not (in the DAA’s
eyes) always require total purging after contamination. The DAA should evaluate
each case individually and take appropriate corrective action commensurate
with the sensitivity of the data, system vulnerabilities and risk (see attachment
52), and any possible adverse impact. Then, the DAA, in conjunction with
the data owner, may elect to accept the risk associated with a partial or
limited sanitization. In the following charts, we provide the DAA with three
sanitization options: complete, partial, and limited. A limited sanitize
involves purgsanitizing only those systems or memory locations where the
contaminating information was written or suspected to have been written.
In addition, sanitize the "clear" or temporary work space on the system(s).
When additional assurance is required, perform a partial sanitization
by purging the affected system(s). See warnings:
WARNING: The DAA must understand that they are personally responsible for
the acceptance of risk of compromise due to performing a limited purgesanitize
versus a complete purgesanitize.
WARNING: On networked systems, make sure hard drives on connected systems
are checked. Many times, especially with electronic mail, users will place
a copy of documents on their system’s disk for future reference.
Table A5.1. Sanitization Options and Impacts.
A5.2. Decision Table. Table A5.1 shows some of the impacts and issues that
a DAA must consider before selecting a course of action. In addition, Table
A5.2 provides a DAA with a methodology for determining what sanitization
option is best. As indicated, a limited sanitization should rarely, if ever,
be used. The partial sanitization option, however, provides a more acceptable
balance between risk of compromise and the cost, effort, and adverse impact
on the mission. Using table A5.2, a partial sanitization is indicated if
conditions 1-4 and 8-10 are met. A limited sanitization requires all conditions
to be met.
Table A5.2. Determination of Sanitization Types.
Conversion to HTML by Cryptome.
Destruction Method
Destruction at an approved metal destruction
facility (i.e., smelting, disintegration, or pulverization.
Incineration
Application of an abrasive substance (emery
wheel or disk sander) to a magnetic disk or drum recording surface. Make
certain that the entire recording surface is completely removed before disposal.
Also, ensure proper protection from inhaling the abraded dust.
Application of concentrated hydriodic acid (55%
to 58% solution) to a gamma ferric oxide disk surface. Acid solutions should
be used in a well-ventilated area only by qualified personnel.
Application of acid activator Dubias Race A
(8010 181 7171) and stripper Dubias Race B (8010 181 7170) to a magnetic
drum recording surface. Technical acetone (6810 184 4796) should then be
applied to remove residue from the drum surface. The above should be done
in a well-ventilated area, and personnel must wear eye protection. Extreme
caution must be observed when handling acid solutions. This procedure should
be done only by qualified and approved personnel.
AFC4A Air Force Communications Agency
3 1/2 in rigid disk
5 1/4 in floppy disk (360
K)
5 1/4 in floppy disk (high
density)
8 in floppy disk (high
density)
8MM
8MM
196 AMPEX
721 AMPEX
777 3M
795 AMPEX
797 AMPEX
799 AMPEX
895 Memorex
897 Memorex
5198 3M
6250 CPI (7, 8, 9 Track)
A-10 BERNOULLI CARTRIDGE
A-20 BERNOULLI CARTRIDGE
ANALOG VIDEO ADAPTATIONS
B-5 BERNOULLI CARTRIDGE
B-20 BERNOULLI CARTRIDGE
B-44 BERNOULLI CARTRIDGE
BETA SONY
BETACAM SONY
BETACAM SP SONY
BLACK WATCH 1/2 in CART
3M
C-FORMAT
D1
D2
DC 100 3M
DC 300 3M
DC 600 3M
DC 615 3M
DC 1000 3M
DC 2000 3M
ED-BETA
IBM 3480
ID1
ID2
M II (METAL PARTICLE) PANASONIC
MDC 750 MEGATAPE
PHILLIPS-TYPE, HIGH BIAS
PHILLIPS-TYPE, STANDARD
QUADRAPLEX
SVHS
SYQUEST SQ 100 CARTRIDGE
SYQUEST SQ 200 CARTRIDGE
SYQUEST SQ 400 CARTRIDGE
TK 50
TK 70
UMATIC SP 3/4
UMATIC
VHS
SANITIZATION OPTIONS
IMPACTS and ISSUES
Complete: Purge every system on the LAN and
contaminated backups. Declassify the system(s) after
observing the organization's respective validation and
review procedures. Then, reload software and data files
from uncontaminated backup.High Assurance
Total system(s) overwrite
Data Loss
Unbalanced solution (security drives operations)
Entire network/all systems down for extended period
All users affected
Workload (man-hours) intensive
Relies totally on good (clean/recent) backups
Partial: Find where written, purge affected systems and
contaminated backups. Declassify the system(s) after
observing the organization's respective validation and
review procedures. Then, reload from clean backup.Lower Assurance
Partial system(s) overwrite
Some data loss
A balanced (operations and security) solution
Minimizes system downtime
Adversely affects fewer users, systems, & missions
Many "overtime" hours
Relies in part on good backups
Limited: Find where contaminating information is
written. Purge file, "wipe" unallocated disk space and
swap (temp) file space on affected systems. Declassify
the system(s) after observing the organization's
respective validation and review procedures. If
necessary, reload from clean backup.Unknown degree of Assurance
Overwrites contaminating file, free space, temp space
Possibly no data loss
Unbalanced solution (operations drives security)
Very little downtime
Minimizes impact to majority of users
May or may not require use of good backups
1. The system is government owned and operated.
2. The system is accredited to at least C2 (or
C2 functionality).
3. The system is accredited for unclassified
processing only.
4. The material needing purging is classified
secret or below.
5. The data is time sensitive (i.e., automatically
downgraded to unclassified after a short duration, such as tactical information).
6. The system frequently writes to the drive
location(s) where the data was inadvertently written or suspected to be written.
(Note: generally, an e-mail server is overwritten more frequently than an
application or file server.)
7. The amount of information needing to be purged
is less than 0.01% of total drive size.
8. The residual risk associated with the limited
purge outweighs the effort/cost/adverse impact incurred if a complete purge
was performed.
9. The system DAA approves of using the limited
purge in this particular instance.
10. The data owner concurs with the limited
purge procedures.