Short answer? Because there are no official paths to certification for data erasure products – the door has effectively been shut.
Let’s define certifications vs. regulations before giving the longer version of the answer.
Certifications are official documents attesting to a status or level of achievement.
Regulations are rules or directives made and maintained by an authority. Examples of regulations include: HIPAA, NIST, DoD, ISO 27001, PCI DSS, NERC CIP and SOX, among others.
The main vehicle for certification in the US is the Common Criteria, a globally recognized scheme for security products. Each country that participates in the Common Criteria has their own scheme, and in the US certification is managed by National Information Assurance Partnership (NIAP).
Traditionally, there have been two options to undertake certification within the Common Criteria framework:
- Security Target – which allows companies to declare what security functions their products offer
- Protection Profile – where products are certified against a uniform set of functional requirements
Around 2013, NIAP changed its approach to Common Criteria evaluations and declared that it would no longer accept evaluations based on Security Targets. It also required every evaluation to have a Protection Profile associated with it. Since there is no Protection Profile for data erasure for the U.S., there is no longer a means to attain an official certification for data erasure. Any company that was able to get certified using a Security Target did so before this change occurred. Certified products are now on the archived list because they are from 2010/11 and now lack in modern features, such as support for SSDs.
The official guidance from NIAP states that “Products that were previously evaluated and approved by NIAP, but have now been moved to the archived products list, no longer satisfy CNSSP-11 for NSS procurement. However, archived products may continue to be used if already deployed within an organization’s IT infrastructure.”
For those technologies where a PP does not yet exist or is not in development, NIAP offers official guidance that states they will “work with the vendor and/or customer to offer a path to evaluation”. It is not known how this works in practice. Further investigation is required to better understand this option.
The lack of data erasure certification options contrasts with the guidance published by the National Institute of Standards and Technology (NIST) in the US. Their Guidelines for Media Sanitization outlines the need for proper media sanitization and information disposition and offers suggestions for how to put such a program in place. It doesn’t, however, call for one particular method of data destruction over the other. And it’s a standard—not a mandate.
Many other countries, particularly the UK and Germany, have strong data protection regulations. The UK’s National Cyber Security Centre (NCSC), which recently replaced the GCHQ (Government Communications Headquarters), as the UK government’s National Technical Authority for Information Assurance. Blancco Drive Erasure meets the highest security specifications detailed in this organization’s HMG InfoSec Standard No: 5 guidelines, which outline data erasure for hard disk drives.
Meanwhile, Germany has the BSI certification for data erasure. In 2013, Blancco became Germany’s first nationwide provider of data erasure for public agencies when the German Federal Office for Information Security certified its data erasure products.
Though the U.S. doesn’t offer any official certifications, we hold certifications in almost every other country we do business in. Additionally, there are many industry-specific regulations in the U.S. that Blancco data erasure solutions do help satisfy.
Click here to see our full list of data erasure certifications and regulations.