What Does NIST 800-53 Say About Media Sanitization?

Oct 27, 2020 Blog Article

U.S. federal NIST publication 800-53 was written to decrease data vulnerabilities in information systems and organizations. So what does it have to say about data sanitization in general, and data erasure specifically?

Farah Mithani A tech-focused writer and editor, Farah covered topics related to cloud security, software, and hardware while working at a Fortune 500 company. She then joined Blancco as content marketing specialist. In that role, she authored data management, data erasure, and IT asset lifecycle content while supporting Blancco’s social media and email channels.

Media Sanitization Recommendations for US Federal Information Systems

The U.S. National Institute of Standards and Technology (NIST) develops information security standards and guidelines, including minimum requirements for federal information systems.

The guidelines in NIST 800-53, “Security and Privacy Controls for Information Systems and Organizations” were developed in collaboration with industry, government, and academic organizations to decrease vulnerabilities to data threats and risks, “including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.”

To help reduce these risks, NIST 800-53 embeds this standard definition of data sanitization:

Data sanitization is the process of irreversibly removing or destroying data stored on a memory device (e.g., hard drives, flash memory/solid state drives, mobile
devices, CDs, and DVDs) or in hard copy form.

NIST SP 800-53, Rev. 5, Security & Privacy Controls for Information Systems & Organizations (via NIST 800-88)

Both private and public sector organizations will often use certified data erasure software to achieve data sanitization, removing data and protecting it from unauthorized access after the data is no longer needed.

The evolution of media storage and use in organizations has grown exponentially and will continue to be a component of federal information systems. Media storage has many vulnerabilities, which has necessitated recommendations for which sanitization methods to employ and when sanitization should be performed.

NIST 800-53 recommends media sanitization prior to:

  • Disposal
  • Release from organizational control
  • Release for reuse

What NIST Says About Media Sanitization

NIST Clear and Purge, outlined in another NIST publication (NIST 800-88), are categories of data sanitization (sometimes referred to as data “wiping”) that have become commercial standards used to sanitize many different types of media. Digital media can include hard disk drives (HDDs), solid-state drives (SSDs), mobile devices, USBs, optical media, and more.

The recommendation to wipe data prior to disposal is not a new suggestion—NIST 800-88 has included data erasure as a sanitization option since 2006. Today, an increased concern for security has caused the recommendation of sanitization on devices when they are released from organizational control and reuse.

HIPAA and other regulations have made all parties liable when there is a data breach. This has initiated the need for erasure in-house before IT assets are transferred to an ITAD, third-party service provider, leasing agency, or other entity.

Even when reusing media within an organization, there is a chance of a data spill or breach. When a computer is reassigned to another employee in the same organization, there is a possibility that data on the device remains and is at risk. NIST 800-53 recommends these devices are wiped prior to reassignment.

The stages in the IT asset lifecycle when a device is recommended for a NIST data erasure are increasing and will continue to be required at different points in an asset’s lifespan.

Types of Media that NIST 800-53 Says Need Sanitization

The media sanitization recommendation applies to all digital media, including but not limited to

  • scanners,
  • copiers,
  • printers,
  • notebook computers,
  • workstations,
  • network components,
  • mobile devices,
  • drives
  • and more, even if the media is not removable.

These devices all store data in some capacity and should be sanitized following the recommendations above.

In addition, portable storage devices (commonly known as USBs) have been the culprit of many data breaches, ransomware attacks and other hacks. Compromised USBs can contain malicious code that can be accidentally or purposely introduced into an organization’s internal network. For that reason, NIST 800-53 recommends scanning these storage devices and wiping them prior to use. This will decrease an organization’s vulnerability to a USB-based attack.

Recommended NIST Methods for Sanitization

Media sanitization techniques include clearing, purging, cryptographic erase, de-identification of personally identifiable information, and physical destruction. Organizations should determine their level of sanitization depending on the data’s significance and consequence of a data breach.

Federal agencies should still follow National Security Agency (NSA) standards and policies to control the sanitization of classified information and the National Archives and Records Administration (NARA) policies to control unclassified information.

Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

NIST SP 800-53, Rev. 5, Security & Privacy Controls for Information Systems & Organizations

Implementation

Each organization should follow their data security and record retention policies when sanitizing media storage. All sanitization efforts should be tracked and documented, including: 

  • List of personnel who reviewed and approved sanitization and disposal actions 
  • Types of media sanitized 
  • Files stored on the media 
  • Sanitization methods used 
  • Date and time of the sanitization actions 
  • Personnel who performed the sanitization 
  • Verification actions taken and personnel who performed the verification 
  • Disposal actions taken 

Personnel performing media sanitization should be technically qualified individuals and possess sufficient skills and expertise to determine if the proposed sanitization reflects applicable federal and organizational standards, policies, and procedures. Erasure records are vital in the case of litigation or discovering the source of a data breach. It is the organization’s responsibility to ensure data is not sanitized prior to when it can be, according to the record retention policies, and is securely wiped prior to leaving the facility for disposal. 

Blancco offers secure, permanent, and complete data sanitization services that meet the most stringent data erasure algorithm standards on both magnetic and flash-based media.

For every erasure, your organization receives a certified and tamper-proof report that confirms complete data sanitization.

Learn More About NIST Media Sanitization Guidelines

Download our free “Quick-Start” guide

You may be interested in: