New DoD Instruction on Controlled Unclassified Information Now Available

Jun 30, 2020 Blog Article

On March 6, 2020, the U.S. Department of Defense implemented new rules for how unclassified information is handled. Let’s look at how federal agencies and others can successfully satisfy these DoD CUI requirements for data destruction—all while minimizing manual work and honoring data retention requirements.

Katie Jefcoat - Blancco Author

Katie Moss Jefcoat Katie has launched and supported marketing campaigns for B2B technology companies since 2011. From 2016 to 2021, Katie served Blancco in the roles of content manager and senior product marketing manager, communicating the features and benefits of Blancco products, evaluating market and competitive trends, supporting sales enablement, and representing the voice of the customer.

The U.S. Department of Defense is an executive branch department of the federal government that’s responsible for coordinating and supervising all agencies and functions of the American government directly related to national security and the U.S. Armed Forces. As part of these responsibilities, the department puts out important security guidelines with which U.S. federal agencies must comply. And while these requirements only legally apply to U.S. government agencies, many countries across the world also adhere to these standards when working with U.S. federal agencies or simply as a matter of best practice.

As of March 6, 2020, the U.S. Department of Defense implemented new rules for how unclassified information is handled, outlined in DoD Instruction 5200.48 Controlled Unclassified Information (CUI). This new Instruction replaces “DoD Manual 5200.01, Volume 4, ‘DoD Information Security Program: Controlled Unclassified Information,’ February 24, 2012” and is designed to establish policy, assign responsibilities and propose procedures for CUI throughout the DoD in accordance with sections of Executive Order (E.O.) 13556; Part 2002 of Title 32, Code of Federal Regulations (CFR) and the Defense Federal Acquisition Regulation Supplement (DFARS).

Defense contractor? Read our article on data sanitization and CMMC requirements: CMMC Media Protection & Maintenance Requirements—and How DoD Contractors Can Prepare

Section 4.5 of the Instruction covers destruction of CUI. It states:

  1. Record and non-record copies of CUI documents will be disposed of in accordance with Chapter 33 of Title 44, U.S.C. and the DoD Components’ records management directives. When destroying CUI, including in electronic form, agencies must do so in a manner making it unreadable, indecipherable, and irrecoverable. If the law, regulation, or government-wide policy specifies a method of destruction, agencies must use the method prescribed.
  2. Record and non-record CUI documents may be destroyed by means approved for destroying classified information or by any other means making it unreadable, indecipherable, and unrecoverable the original information such as those identified in NIST SP 800-88 and in accordance with Section 2002.14 of Title 32, CFR. [Emphasis mine]

To make sensitive files unrecoverable at end-of-life, steps must be taken beyond just placing them in the Recycle Bin, where even once deleted, they can be recovered by anyone with the right tools. In addition, in-house solutions based on built-in OS deletion functionality also may leave data behind. Neither solution provides an audit trail to prove compliance with clear Certificates of Erasure.

To successfully satisfy DoD CUI requirements without adding a large amount of manual work for IT staff, organizations need an automated solution to permanently erase targeted files, folders and free disk space, including temporary files, artifacts, etc. This will allow them to meet both retention requirements and achieve compliance with this and other key government (or industry) regulations.

Blancco File Eraser is the only certified file erasure software solution on the market. The software seamlessly fits into an organization’s overarching data sanitization strategy, with simple automated and scheduled deployment to address time-sensitive or personally indefinable information (PII). This helps the organization achieve compliance with internal and external retention policies and regulations like DoD Instruction 5200.48.

Blancco File Eraser offers erasure to 17+ established standards, as well as centralized and customized reporting in a wide array of formats. The solution is also flexible, offering UI- or command-line-based setup and erases file, folders, free disk space, temporary files and more.

In addition, sometimes full IT assets (servers, laptops, etc.) must be securely erased—not only individual files and folders. The solution: completely sanitizing the drives in end-of-life assets using Blancco Drive Eraser software, which erases to NIST SP 800-88 (Clear and Purge) methods mentioned above, as well as over 20 other erasure standards. This should occur prior to physical destruction and before devices leave the secure business environment.

See How Blancco File Eraser Fulfills DODI 5200.48 Requirements: Request Your Free Trial

To learn more about how Blancco File Eraser can help your organization achieve compliance and enhance its security posture, request your free trial today.