8 September 2000. Thanks to RT.

[27 pages; all pages marked "FOR OFFICIAL USE ONLY."]

This instruction provides guidelines and procedures for clearing and sanitizing various automated information systems (AIS) media for release outside of and for reuse within controlled environments. Contained herein is a compilation of the latest information available on sanitizing, destroying, and releasing of information storage media. Individual sections, when discussed outside of the context of this Instruction, are "Unclassified." The accumulated body of knowledge represented in this Instruction, along with the discussions of known vulnerabilities and assessment of risks, is "For Official Use Only." The term "Major Command" (MAJCOM), as used in this instruction, also includes the Headquarters, United States Air Force, Field Operating Agencies (FOA) and Direct Reporting Units (DRU). Refer questions and comments on technical contents of this instruction, or recommended changes through appropriate command channels to Headquarters, Air Force Command, Control, Communications and Computer Agency, Information Protection Division (HQ AFC4A/SYS), 203 W. Losey St., Room 2040, Scott AFB IL 62225-5234.

SUMMARY OF REVISIONS

This instruction now includes procedures for handling laser printer toner cartridges, flash memory, and limited sanitizing options for networks.

(Paragraph number follows title)

Chapter 1--General Information

Purpose 1
Glossary of References, Abbreviations, Acronyms, and Terms 1.1
Introduction 1.2
Objective 1.3
Applicability 1.4
Responsibilities 1.5

Chapter 2--Basic Procedures

General 2
Handling Sensitive AIS Storage Media 2.1
Clearing Storage Media 2.2
Sanitizing Storage Media 2.3
Overwrite Programs/Routines 2.4
Destruction 2.5

Chapter 3--Magnetic Storage Media

General 3
Magnetic Tapes 3.1
Floppy Disks, Diskettes, and Magnetic Cards 3.2
Sealed Disk Drives, Hard Disks, Hard Disk Assemblies (HDA), Bernoulli Cartridges, and PC (Memory) Cards 3.3
Removable Disk Packs 3.4
Magnetic Drums 3.5

Chapter 4--Magnetic Memory Devices

General 4
Core Memory 4.1
Plated Wire Memory 4.2
Thin Magnetic Films 4.3
Magnetic Bubble Memory 4.4

Chapter 5--Semiconductor Devices

General 5 Electrically Erasable Programmable Read Only Memory (EEPROM) and Electronically Alterable Read Only Memory (EAROM) 5.1
Erasable Programmable Read Only Memory (EPROM) and Ultraviolet Programmable Read Only Memory (UVPROM) 5.2
Flash Memory 5.3
Programmable Read Only Memory (PROM) 5.4
Read Only Memory (ROM) 5.5
Random Access Memory (RAM), Battery-Backed RAM, Dynamic RAM, and Static RAM 5.6

Chapter 6--Optical Storage Media

General 6
Read Only Optical Disks (CD-ROM) 6.1
Write Once, Read Many (WORM) Optical Disks 6.2
Erasable Optical Disks 6.3

Chapter 7--System Components, Printers, and Output Media

General 7
Display Devices Cathode Ray Tube (CRT) 7.1
Ferro-Electric Memory and Ferro-Optical Storage 7.2
Laser Printers/Printing Systems 7.3
Impact Printer Ribbons 7.4
Equipment 7.5
Destruction ProceduresPaper Materials 7.6
Wafers and Chips 7.7
Packaged Circuits 7.8
Glass Masks 7.9

Attachments

1. Glossary of References, Abbreviations, Acronyms, and Terms
2. Risk Determination
3. Nominal Coercivity of Various Storage Media
4. Degaussers
5. DAA Guide to SanitizingPurging Contaminated Systems/Networks

Tables

2.1. Media Destruction Methods
A3.1. Nominal Coercivity for Various Storage Media
A5.1. Sanitization Option and Inputs
A5.2. Determination of Sanitization Types

Chapter 1

GENERAL INFORMATION

1. Purpose. This instruction implements the Air Force Computer Security (COMPUSEC) Program by addressing requirements in the area of remanence security. Magnetic remanence is the magnetic representation of residual information that remains on automated information systems’ (AIS) storage media after it is erased by overwriting, degaussing, and so on. Remanence security is the use of prescribed safeguards and controls to prevent reconstruction or disclosure of sensitive information to persons who do not have the proper clearance or need-to-know for this information. (NOTE: "sensitive information," as used in this document, refers to both classified and sensitive but unclassified [SBU] information.) Specifically, this instruction provides:

- A discussion of the known threats and vulnerabilities (risk) associated with clearing, sanitizing, and destroying storage media.

- Procedures for clearing storage media, and the restrictions on the cleared media’s reuse thereafter.

- Procedures for sanitizing storage media and other AIS components (ei.ge., Cathode Ray Tubes [CRT], laser printers, etc.). The end result of the sanitization process is media and AISs that are no longer classified.

- Approved destruction techniques for storage media, printer ribbons, etc.

1.1. Glossary of References, Abbreviations, Acronyms, and Terms. See attachment 1 and AFMAN 33-270, Command, Control, Communications, and Computer (C4) Systems Security Glossary.

1.2. Introduction. During the life cycle of an AIS, its primary and secondary storage media isare sometimes reused, released, or destroyed. In addition, the sensitive information stored on the media may be downgraded or declassified. Thus, computer systems security officers (CSSO), operators, and users must develop procedures for clearing, sanitizing, and destroying media. These procedures must strike a balance between the risk of inadvertent disclosure of sensitive information and operational necessity.

1.3. Objective. All Air Force personnel must prevent accidental disclosure of processed or stored sensitive information, especially during system hardware, firmware, or software upgrade or replacement. To do this, they must be knowledgeable of clearing, sanitizing, and destroying procedures and have the tools available to assist them. To meet these two objectives, this instruction provides the necessary remanence security procedures for most all types of storage media used in current AISs. These procedures should provide designated approving authorities (DAA) with an acceptable level of protection; if not, DAAs may supplement them to meet their operational needs.

1.4. Applicability.

1.4.1. This instruction applies to all Air Force military and civilian personnel and to Air Force contractors who develop, acquire, deliver, use, operate, or manage Air Force AISs (including embedded).

1.4.2. U.S. SIGINT System users must comply with NSA/CSS Manual 130-2, Media Declassification and Destruction Manual.

1.4.3. Storage media that contain classified COMSEC keying material marked "CRYPTO" may not be declassified, but must retain the highest classification of any information previously recorded until destruction. COMSEC managers should consult the appropriate controlling authority for disposition instructions and review NSA/CSS Manual 130-2 for additional information.

1.4.4. Some storage media may contain information so sensitive that procedures in this document may not meet the requirements of the cognizant security authority. Examples of sensitive information categories where declassification is controlled by other agency rules are: sensitive compartmented information (SCI), single integrated operational plan (SIOP), special access required (SAR), and North Atlantic Treaty Organization (NATO) information. In these cases, follow the guidance provided for that category of information.

1.5. Responsibilities. The following responsibilities pertain to remanence security:

15.1. Designated Approving Authority (DAA): approves the use of hardware, firmware, and software (e.g., programs, routines, equipment, etc.), and the procedures for clearing, sanitizing, and destroying storage media.

1.5.2. Wing Information Protection (IP) Office: maintains information on the nearest incinerators, metal destruction facilities, and personnel who are trained in the use of chemical disk surface removers.

1.5.3. Computer Systems Security Officer (CSSO):

1.5.3.1. Develops and maintains DAA approved procedures for clearing, sanitizing, and destroying, storage media.

1.5.3.2. Provides information on remanence security to users, operations personnel, and DAAs, so that they can make informed remanence security decisions based on known risks, regulatory requirements, and established procedures.

1.5.3.3. Provides written approval (based on DAA approved procedures) to sanitize or release unsanitized storage media from Air Force control.

1.5.3.4. Maintains records of sanitization of media, and downgrade or declassification of stored information, according to AFI 31-401.

1.5.3.5. Consults with the Wing IP Office, MAJCOM Information Protection Office, Wing Information Protection Office, or HQ AFC4A/SYS whenever operational necessity requires the use of procedures other than those listed in this instruction.

1.5.4. Systems Programmers/Analysts: tests and evaluates overwrite routines for compliance with this instruction. These individuals may either develop these routines or obtain them from other sources. (NOTE: development of new routines should be the last choice--after a search of the Evaluated products List and Assessed Products List have failed to turn up a suitable program.) They should also develop user/operator procedures and submit them to the DAA for approval.

Chapter 2

BASIC PROCEDURES

2. General. The proliferation of various types of AIS storage media (e.g., magnetic tapes and disks, optical media, solid state semiconductor memory, etc.) has resulted in the development of separate procedures for clearing, sanitizing, and destruction. The procedures in this chapter apply to all types of storage media and must be applied along with the procedures for the specific storage media in chapters 3-7.

2.1. Handling Sensitive AIS Storage Media:

2.1.1. Before using storage media for the first time, you should overwrite the media with an unclassified data pattern. This precaution will help prevent recovery of data stored later.

2.1.2. WritableWritable storage media that retains data after power is removed (nonvolatile) must be protected for the highest classification of information processed or stored on the AIS. Retain classification controls until the media is sanitized or destroyed in an approved manner.

2.1.3. Cleared storage media retains its previous classification unless reused at a higher classification. Use a Standard Form (SF) 711, ADP Media Data Descriptor Label, annotate it "cleared" and include the date and agency/office clearing the media. Mark and control (per AFI 31-401) the media at the highest classification level recorded on it.

2.1.4. After the data owner (functional office of primary responsibility [OPR]) provides evidence that stored information is no longer classified, declassify media by removing the classification markings. If the information is no longer needed, sanitize or destroy the media as SBU. Maintain a record of declassification as required by AFI 31-401, Information Security Program Management, or other applicable directives.

2.1.5. After the data owner (functional OPR) provides evidence that stored information has been reclassified at a lower level (downgraded), change the classification labels and control the media at the new classification level.

2.1.6. Unless prohibited by other policies, sanitized storage media is unclassified. Sanitize storage media whenever there is a need to make it unclassified. In particular, sanitize storage media prior to deletion from the Air Force inventory or transfer to a hardware/ software reuse repository.

2.1.7. During sanitization of storage media, audit the sanitizing process to ensure data is no longer retrievable. This means a person knowledgeable of the process should witness the sanitizing action, then verify (if possible) that the media was in fact sanitized.

2.1.8. If features or malfunctions of the storage mediuma inhibits its clearing or sanitizing, develop customized procedures on a case-by-case basis. Consult your CSSO, your wing or MAJCOM Information Protection Office, or HQ AFCA/SYS, when there is any question concerning specific clearing or sanitizing procedures.

2.1.9. Evaluate the risk factors (attachment 2) prior to clearing, sanitizing, or releasing any storage media.

2.2. Clearing Storage Media. Clearing removes sensitive information from AIS storage media in a manner that renders it unrecoverable by normal system utilities or nontechnical means. Routines that only remove pointers and leave data intact (i.e., delete or format) are not acceptable methods of clearing storage media. Clearing can be used when the secured physical environment (where the media is used) is maintained. In other words, the media is reused within the same AIS and environment. Procedures for clearing are:

2.2.1. Clear storage media when changing modes of operation or prior to reuse at a higher classification level.

2.2.2. Clear storage media that contained SBU information before reuse or release from Air Force control.

2.2.3. Ensure the classification markings, for the highest classification processed, remain on the media. Use a Standard Form (SF) 711 to annotate in the comment block that the media is "cleared." Also, include the date and the agency/office clearing the storage mediaum.

2.2.4. Protect the cleared media appropriately.

2.2.5. Follow additional clearing procedures in chapters 3 through 7.

2.3. Sanitizing Storage Media. Sanitizing removes sensitive information from storage media in a manner that gives assurance that the information is unrecoverable by technical means. To prevent unauthorized disclosure, all storage media must be sanitized prior to release to individuals that do not have a security clearance and need-to-know for the information stored on the media. Examples of where sanitization is appropriate are: when the secured physical environment (where the media was used) will not be maintained; when the media is scheduled to be released from a secure facility to a non-cleared maintenance facility; and when the media is inadvertently contaminated with data of a higher classification level than authorized. Storage media inadvertently exposed to a higher classification or category of data than allowed, must be sanitized prior to resuming normal operations at the intended classification level. The DAA should refer to attachment 6 to determine the best course of action. DAAs should strive to maintain a balance between mission requirements and the risk of unauthorized disclosure of information. Basic sanitization steps are:

2.3.1. Disconnect the AIS from any external network.

2.3.2. Storage media containing SBU information do not require sanitizing; clear them according to procedures for the specific storage media (see chapters 3-7). Then remove the any labels or markings indicating SBU category or use.

2.3.3. Except for magnetic computer disks, ensure the storage media’s coercivity of the storage media does not exceed the rating of the degausser when degaussing. In other words, the media degausser must have a nominal coercivity rating less than or equal to or higher thanthe degausser. the media.

2.3.4. Sanitize classified storage media according to procedures for the specific storage media (chapters 3-7). Ensure all types of storage media (i.e., disks, RAM, buffers, etc.) contained in the AIS are sanitized. NOTE: routines that only remove pointers and leave data intact (i.e., delete or format) are not acceptable methods of sanitizing storage media.

2.3.5. After sanitizing, verify the success of the sanitize by reviewing the media for data retention. For example, if an overwrite routine is used to sanitize an AIS’s hard disk, dump random short sectors, blocks, or memory contents and verify that only the last character written is all that can be read. Where possible, review at least 10 percent of the media. NOTE: the DAA must accept the risk regardless of the percentage reviewed.

2.3.6. Prepare and submit a memorandum that includes a description of the sanitized mediaum (e.g., type, manufacturer, serial number, etc.), the classification level, a short description of the sanitizing procedures, and the purpose of the sanitization (e.g., declassification, downgrade, release or disposal of media, etc.). Also, as noted in paragraphs 2.1.4 and 2.1.5, document the authority for the downgrade or declassification. Submit the memorandum to the CSSO for approval.

2.3.7. After carefully reviewing the memorandum (from above) and weighing the risks, the CSSO approves or disapproves the sanitization. If the CSSO approves, remove all classification labels and markings indicating previous classification or use. If the CSSO disapproves, the media must continue to be marked and controlled at the same classification level as before.

2.3.8. Follow additional sanitizing procedures in chapters 3 through 7.

2.4. Overwrite Programs/Routines. Overwriting is an authorized method of clearing and sanitizing many types of magnetic media. The overwriting is implemented by a commercial, service, or locally developed computer program or routine. These programs must comply with the following:

2.4.1. Ensure the read and write device hardware is functioning properly before beginning this procedure (see paragraph A2.4).

2.4.2. Overwrite programs (software routines) must write to every addressable location on the media. In other words, the program must write to active and inactive file space, bad sectors and tracks, the space between the end of a file and the end of a block or sector, file allocation tables, directories, block maps, etc.

2.4.3. The overwrite program must perform the clear or sanitize as described for the storage medium (see chapters 3-76).

2.4.4. Use overwrite programs evaluated by the National Computer Security Center (NCSC) or assessed by the Air Force. When no evaluated or assessed product is available, the DAA may approve the use of a commercial program designed to overwrite data. The using organization must assess the performance of the program. Systems programmers and analysts must carefully test and validate the performance of this software against the requirements of this instruction. The program documentation must fully explain all functions performed; the program should perform no undocumented functions. Submit the test report to HQ AFCA/SYS for review.

2.4.5. Where no commercial overwriting software is available, systems programmers must develop computer programs or routines to perform the overwrite. Ensure configuration control is maintained for the software,; that is, the version that is tested and approved, must be the only one that is used. The programmer must test and certify the program against the requirements in this instruction and develop procedures for proper use. Include the procedures in the Security Features Users Guide or a local operating instruction.

2.4.6. The DAA must approve, in writing, the use of programs or routines for sanitizing computer storage. The easiest way to comply with this requirement is to include remanence security procedures in the systems security policy.

2.4.7. Follow additional procedures in chapters 3 through 7.

2.5. Destruction. It is a good practice to sanitize media before submitting it for destruction. Media may generally be destroyed by one of the following methods (see Table 2.1). (NOTE: Although approved methods, options d and e use acid, which is dangerous and excessive, to remove recording surfaces. Options a, b, and c are recommended over d and e.)

Table 2.1. Media Destruction Methods

Chapter 3

MAGNETIC STORAGE MEDIA

3. General. This chapter outlines remanence security procedures for magnetic tapes, floppy disks, diskettes, magnetic cards, removable disk packs (e.g., single and multiple platter), sealed disk drives (Winchester drives), hard disks, hard disk assemblies (HDAs), Bernoulli cartridges, and magnetic drums. In addition, memory PC Cards (i.e., Type III and ATA PC Cards) may be formatted, written to, and read from, just like hard disks. Apply the hard disk procedures in paragraph 3.3 to those media. Attachment 3 lists the coercivity of many types and brands of magnetic disks and tapes. This information is necessary to determine the appropriate type of degausser that can be used to clear or sanitize media. Refer to attachment 4 for a summary of clearing, sanitizing, and destroying procedures. See the following warnings:

WARNING: In addition to having hard disks, PC Cards and PCMCIA Cards may contain multiple, non-contiguous, similar or dissimilar, storage media. This may include Static RAM, Flash, DRAM, ROM, PROM, EPROM, and EEPROM, along with the hard disk. This presents CSSOs and DAAs with a formidable task when clearing or sanitizing the storage media. Each type of memory has procedures that must be followed to render the information it contains irretrievable. When in doubt, check with the product vendor, or your Wing Information Protection Office, your MAJCOM Information Protection Office, or contact HQ AFCA/SYS for guidance.

WARNING: MS-DOS, PC-DOS, and other similar operating systems have peculiarities that affect clearing and sanitizing files by overwriting. Retrieving and editing a stored file, then saving it, may result in writing the file to a different location on the media. Clearing or sanitizing this file by overwriting could leave older versions on the media.

3.1. Magnetic Tapes.

3.1.1. Clearing.

3.1.1.1. Although you can overwrite magnetic tapes (reel and cassette formats), this method of clearing is generally never used. This is because inter-record gaps may preclude proper clearing and the process is time consuming. A better method for clearing tapes is degaussing them with a Type I or Type II degausser.

3.1.1.2. If a degaussing capability does not exist, overwrite tapes to clear them. Select the highest density available for the tape transport and the largest blocking factor supported by the equipment. Verify overwrites by randomly reading media to ensure nothing other than the overwrite character is present.

3.1.2. Sanitizing.

3.1.2.1. Degaussing Type I, II, and III magnetic tapes is the only method approved for sanitizing this media. Use a Type I degausser to sanitize Type I tapes or a Type II degausser for Types I & II tapes. Refer to NSA’s Degausser Products List (DPL) for availability of Type III (extended range--above 750 Oersteds (Oe).) degaussers that are capable of sanitizing Type III tapes.

NOTE. It isn’t possible to distinguish Type I (coercivity between 0 and 350 Oe), Type II (coercivity between 350 to 750 Oe) and Type III (coercivity above 750 Oe) magnetic tapes from each other by physical appearance. Mark or label each tape with its type at the time of receipt so it can be properly sanitized in the future. Do not remove or cover the label until destruction of the tape.

3.1.2.2. Remove all classified labels or markings from the reel or cassette. Declassify the media after observing the organization’s respective validation and review procedures. Remove all classified labels or markings from the reel or cassette.

3.1.3. Destroying.

3.1.3.1. Dispose of classified magnetic tapes by burning the tape in an approved incinerator according to procedures established for the controlled destruction of classified materials. Preparatory steps such as segregation of components (tape and reels) may be necessary to comply with the requirements of the destruction facility.

3.1.3.2. Dispose of unclassified magnetic tapes as described in paragraph 3.1.3.1 above. However, procedures established for the economic disposal of unclassified materials shall be observed (i.e., use of an approved commercial facility).

3.2. Floppy Disks, Diskettes, and Magnetic Cards.

3.2.1. Clearing. Clear flexible magnetic media and cards by overwriting or degaussing. Overwrite all addressable locations at least one time with a single character. Degauss flexible media using either a Type I or hand-held degaussing wand.

3.2.2. Sanitizing. Degauss flexible magnetic media with a Type I or Type II degausser. Remove all classification labels and markings which indicate previous use or classification. Declassify the media after observing the organization’s respective validation and review procedures. Remove all classification labels and markings which indicate previous use or classification.

3.2.3. Destroying. The relative low unit cost and small physical size of classified floppy disks and magnetic cards makes incineration the most effective disposal mechanism. It is prudent security practice to degauss floppy disks and magnetic cards before submitting them for disposal.

3.3. Sealed Disk Drives, Hard Disks, Hard Drive Assemblies (HDA), Bernoulli Cartridges, and PC (Memory) Cards. These devices are widely used for the storage of digital information. Unlike magnetic magnetic tape and floppy disks, where the read/write heads come in direct contact with the recording media, sealed disk drives contain rigid magnetic media and implement a "flying head" arrangement where the read/write head is designed to float above the surface of the recording media. A "head crash" means that the heads have contacted the media, resulting in catastrophic system failure and permanent damage to both the heads and the recording media. Functioning sealed drives may be cleared by employing an overwrite procedure. Sanitization of non-functioning classified drives can be accomplished by bulk degaussing the entire disk pack assembly or by opening and disassembling the disk drive and erasing the enclosed platters with an approved degausser.

3.3.1. Clearing. Functioning sealed drives and Bernoulli cartridges may be cleared by overwriting all addressable locations with binary zeros (i.e., 0000 0000) then binary ones (i.e., 1111 1111). Then, overwrite all addressable locations with any character (i.e., "a"). Verify the overwrite procedure by randomly re-reading (recommend 10%) the overwritten information to confirm that only the overwrite character can be recovered. This media may also be cleared using a Type I1 degausser.

3.3.2. Sanitizing. Sealed disk drives willshall be sanitized by either overwriting or degaussing. Bernoulli cartridges will be sanitized by degaussing only. Use the following as guidance:

3.3.2.1. Functioning sealed drives may be sanitized by performing three overwrite cycles of all addressable locations. Afterwards, overwrite all addressable locations with any character (i.e., "a"). Verify the overwrite procedure by randomly re-reading (recommend 10%) from the drive to confirm that only the overwrite character can be recovered.

3.3.2.2. Degauss by either bulk erasing the disk in an approved degausser or by disassembling the hard disk and erasing the enclosed platters with a hand-held degaussing wand. NOTE: Magnetic media made of barium ferrite may not be degaussed. Declassify the media after observing the organization’s respective validation and review procedures. This media must be destroyed.

3.3.2.2.11. Sanitization by BBulk Erasure. 1) remove the hard drive from the chassis or cabinet; 2) remove any steel shielding materials or mounting brackets which may interfere with magnetic fields; 3) place the hard disk drive in an approved large cavity degausser and erase at the required field setting. NOTE. The bulk erasure of sealed hard drives may cause damage (i.e., loss of timing tracks) that may prohibit its continued use. The decision to bulk erase should be considered on a case-by-case basis.

3.3.2.2.2. Sanitization with Degaussing Wand. Sanitization of sealed disk drives may be accomplished by disassembling the disk pack and erasing all surfaces of the enclosed platters with an approved hand-held degaussing wand. Cover the hand-held magnet with a lintless tissue, wiping cloth, or layer of thin plastic as a means of preventing damage to the recording surface. Wipe each active surface (top and bottom) at least three times with the magnet. NOTE. The disassembly of the sealed drive and the degaussing of the platters will cause damage (loss of timing tracks, bent head armatures or damaged recording surfaces) that may prohibit its continued use. The decision to disassemble disk drives should be considered on a case-by-case basis.

3.3.2.3. Declassify the media after observing the organization’s respective validation and review procedures.

3.3.3. Destroying. Sealed disk drives may be released for disposal or repair after sanitization procedures have been completed. Unclassified platters removed from nonfunctional drives will not exhibit information regarding their previous use or classification; therefore they may be disposed of by using approved procedures for destruction or disposal of unclassified metal waste. Techniques which remove recording surface (e.g., grinding or chemically etching the oxide surface) prior to disposal do not enhance security and are unnecessary. The chassis and electronic hardware from the unclassified disassembled disk drive may be disposed of using the appropriate procedures established for unclassified equipment.

3.4. Removable Disk Packs.

3.4.1. Clearing. Removable disk packs may be cleared by means of an overwrite cycle, in accordance with procedures described for sealed disk drives (see paragraph 3.3). An alternative method to clear disk packs is to degauss the recording surfaces of all platters with an approved large cavity degausser or a hand-held degaussing wand (see paragraph 3.3.2.2).

Deguassing will remove all information from the platters, including timing (servo) tracks, and may require the disk pack to be initialized prior to re-use. Care should be taken to prevent disturbing the platter alignment or recording surfaces. Note. The decision to re-use multi-platter disk packs cleared by means of erasing with an approved degausser should be considered on a case-by-case basis.

3.4.2. Sanitizing. Removable disk packs shall be sanitized in accordance with the procedures described for sealed disk drives (see paragraph 3.3.2). Declassify the media after observing the organization’s respective validation and review procedures.

3.4.3. Destroying. Removable disk packs may be released for disposal or repair after sanitization procedures have been completed. Due to the design of removable disk packs and the potential for limitations in disposal facilities, separate processing procedures have been established for assembled and disassembled disk packs.

3.4.3.1. Disassembled Disk Packs. Unclassified platters from disassembled disk packs will not exhibit information regarding their previous classification; therefore, they may be destroyed at an approved metal destruction facility.

3.4.3.2. Assembled Disk Packs. Disposal of disk packs that have been sanitized, but not disassembled, shall be accomplished by following the procedures established for the economic disposal of unclassified materials. Preparatory steps such as removing the recording media from the platter surfaces, mutilating the platters or disassembly prior to destruction do not enhance security and are unnecessary. Segregation of components (i.e., separate metal from plastics) may be necessary to comply with the requirements of the destruction facility. See warning:

Warning. The information associated with the release or disposal of a large volume of disk packs by a particular organization or facility may be considered sensitive. Disposal procedures should protect this sensitivity.

3.5. Magnetic Drums. Clear, sanitize, and destroy this media according to established procedures for sealed disk drives (see paragraph 3.3).

Chapter 4

MAGNETIC MEMORY DEVICES

4. General. This chapter contains remanence security procedures for core, plated wire, thin magnetic film, and magnetic bubble memory. Refer to attachment 4 for a summary of clearing, purging, and destroying procedures.

4.1. Core Memory.

4.1.1. Clearing. Clear core memory by overwriting or degaussing. Overwrite all addressable locations with binary zeros (i.e., 0000 0000) then binary ones (i.e., 1111 1111), then with any character (i.e., "a"). Degauss with a large cavity degausser, as described in paragraph 3.3 for sealed disk drives using a Type I degausser or hand-held magnetic degaussing wand. NOTE. Attenuation of the magnetic field due to chassis shielding and separation distance are factors which affect erasure performance and should be considered. All steel shielding materials (e.g., chassis, case or mounting brackets) should be removed before degaussing.

4.1.2. Sanitizing. Sanitize core memory according to procedures described for sealed disk drives (paragraph 3.3.2).

4.1.3. Destroying. Recommended destruction techniques for core memory units include pulverizing, smelting, or disintegrating the core arrays. When practical, the outer chassis and electronic circuit boards should be removed from the core memory unit to optimize the performance of the destruction device.

4.2. Plated Wire Memory.

4.2.1. Clearing. This memory cannot be cleared if the stored information was undisturbed for more than 72 hours. Clear this memory, which stored sensitive information less than 72 hours, by using the overwrite procedure described for magnetic core memory (paragraph 4.1.1). It should remain undisturbed with the random unclassified data stored for at least 72 hours. Temperatures during this period should match or exceed those present when it stored classified information.

4.2.2. Sanitizing. Plated wire memory cannot be sanitized if the information was undisturbed for more than 72 hours. This media retains the highest classification previously recorded, until destruction. Sanitize plated wire memory, which stored sensitive information less than 72 hours, by using the overwrite procedure described for magnetic core memory (paragraph 4.2.1). It should remain undisturbed with the random unclassified data stored for at least 72 hours. Temperatures during this period should match or exceed those present when it stored classified information. Declassify the media after observing the organization’s respective validation and review procedures.

4.2.3. Destroying. Pulverize, smelt, incinerate, , etc. or use other means to ensure the media is physically destroyed.

4.3. Thin Magnetic Films. This memory shall be cleared, sanitized, and destroyed according to procedures for sealed disk drives (paragraph 3.3).

4.4. Magnetic Bubble Memory.

4.4.1. Clearing. Clear magnetic bubble memory by overwriting according to procedures for sealed disk droives (paragraph 3.3.1).

4.4.2. Sanitizing. Sanitize magnetic bubble memory according to procedures described for sealed disk drives (paragraph 3.3.2). An alternative sanitizingpurge technique is to cause the collapse of the magnetic bubbles by either degaussing the bubble array (use a Type I degausser) or raising the magnetic bias field. Bubble memory units with built-in magnetic bias field controls may be sanitized by raising the bias voltage to levels sufficient to collapse the magnetic bubbles.

Note. Magnetic bubble memory units may be sanitized by degaussing the bubble memory device with an approved degausser; however, care must be taken to ensure that the field (at least 1500 gauss) of the degausser is applied to the actual bubble array. All shielding must be removed from the circuit card and/or bubble memory device before degaussing.

4.4.3. Destruction. Disposeal of magnetic bubble memory units shall be accomplished using procedures for sealed disk drives (paragraph 3.3.3).

Chapter 5

SEMICONDUCTOR DEVICES

5. General. This chapter contains remanence security procedures for ROM, PROM, EPROM, UVPROM, EEPROM, EAROM, flash memory, volatile and nonvolatile semiconductor memory, RAM, battery-backed RAM, and SRAM. Refer to attachment 4 for a summary of clearing, sanitizing, and destroying procedures. See warning:

WARNING: PC Cards and PCMCIA Cards may contain multiple, non-contiguous, similar or dissimilar, storage media. This may include Static RAM, Flash, DRAM, ROM, PROM, EPROM, EEPROM, and magnetic hard disks. This presents CSSOs and DAAs with a formidable task when clearing, sanitizing, removing classification, or declassification of the storage media. Each type of memory has procedures that must be followed to render the information it contains irretrievable.

WARNING. Do not sanitize nonvolatile semiconductor memory that you cannot purge. Destroy them.

5.1. Electrically Erasable Programmable Read Only Memory (EEPROM) and Electrically Alterable Read Only Memory (EAROM).

5.1.1. Clearing. Erase EEPROM and EAROM on- or off-circuit. Software that controls the EEPROM (i.e., PC Card) must not be active (running) during the erasure. Each manufacturer provides mechanisms for writing commands to place these units into Erase, Program, and Verify modes. In addition, the manufacturer may have its own programming algorithms, protocols, and erase unit sizes. Use the erase procedures provided by the manufacturer. Normally, this procedure would include pulsing the erase control gate, and verifying the erasure., Tthen, overwriting all bit locations with arbitrary unclassified data.

5.1.2. Sanitizing. Sanitize the media using the same procedures as in paragraph 5.1.1. Declassify the media after observing the respective organizations verification and review procedures.

5.1.3. Destroying. Smelt, incinerate, disintegrate, or use another appropriate mechanism to insure the media is physically destroyed.

5.2. Erasable Programmable Read Only Memory (EPROM) and Ultraviolet Programmable Read Only Memory (UVPROM).

5.2.1. Clearing. Whenever possible, erase EPROM and UVPROM off-circuitline. Perform an ultraviolet light erase according to manufacturer’s recommendations, but increase the time requirement by a factor of three. Next, overwrite all bit locations with arbitrary unclassified data.

5.2.2. Sanitizing. Sanitize EPROMs or UVPROMs by exposing them to an ultraviolet light eraser for a minimum time equal to three times the manufacturer’s recommendations. Then load all positions with zeros. Verify by randomly reading the information loaded in the EPROM or UVPROM. Declassify the media after observing the organization’s respective validation and review procedures.

5.2.3. Destroying. Smelt, incinerate, disintegrate, or use other appropriate mechanism to insure the media is physically destroyed.

5.3. Flash Memory. Flash memory is a specific family of EEPROM. They require special algorithms and protocols for writing to the storage media.

5.3.1. Clearing. Clear them as described in paragraph 5.1.1.

5.3.2. Sanitizing. Sanitize them as described in paragraph 5.2.11.2.

5.3.3. Destroying. Smelt, incinerate, disintegrate, or use another appropriate mechanism to make sure the media is physically destroyed.

5.4. Programmable Read Only Memory (PROM).

5.4.1. Clearing. No procedures exist for clearing PROM.

5.4.2. Sanitizing. No procedures exist for sanitizing PROM.

5.4.3. Destroying. Smelt these devices in an approved furnace at 1600 ºC.

5.5. Read Only Memory (ROM).

5.5.1. Clearing. No procedures exist for clearing ROM.

5.5.2. Sanitizing. No procedures exist for sanitizing ROM.

5.5.3. Destroying. Smelt, incinerate, disintegrate, or use other appropriate mechanism to insure the media is physically destroyed.

5.6. Random Access Memory (RAM), Battery-Backed RAM, Dynamic RAM (DRAM), and Static RAM (SRAM).

Caution: If a source of power is a battery, consult the manufacturer’s technical guidance to determine what affect removing the battery will have on other system functions (i.e., BIOS).

5.6.1. Clearing. Remove all power, including batteries and capacitor power supplies for the RAM circuit board for a minimum of 60 seconds.

5.6.2. Sanitizing. If RAM is functioning, clearpurge these storage media as follows: 1) overwrite all locations with binary zeros (i.e., 0000 0000), then with binary ones (i.e., 1111 1111), then with a random character; 2) remove power, (including batteries and capacitor power supplies from RAM circuit board. If RAM is not functioning, sanitize as follows: 1) perform three power on/off cycles (60 seconds on, 60 seconds off each cycle at a minimum); 2) remove all power, including batteries and capacitor power supplies from the RAM circuit board.

5.6.3. Destroying. Smelt, incinerate, disintegrate, or use another appropriate mechanism to insure the media is physically destroyed.

Chapter 6

OPTICAL STORAGE MEDIA

6. General. This chapter contains remanence security procedures for readable, writable, and erasable optical disks. Refer to attachment 4 for a summary of clearing, sanitizing, and destroying procedures.

6.1. Read Only Optical Disks (CD-ROM).

6.1.1. Clearing. Read only optical media retains information written to it by the originator and can not be cleared. These media retain their original sensitivity until destroyed.

6.1.2. Sanitizing. Read only optical media retain information written to it by the originator and can not be sanitized. These media retain its original classification until destroyed.

6.1.3. Destroying.

6.1.3.1. Burn classified CD-ROMs except those made by SONY. SONY CD-ROMs are toxic and not recommended for burning.

6.1.3.2. Use installed incinerators for the destruction of classified CD-ROMs. Classified CD-ROMs are considered as plastic and are destroyed in accordance with local air quality regulations and the manufacturer’s and maintainer’s recommendations for the specific incinerator installed at your unit. Follow all safety precautions.

6.1.3.3. If a burn facility is not available and the volume of classified CDs becomes a storage or security concern, mail them to: NSA L322, Ft G Meade, MD 20755, for destruction. Mail SONY CD-ROMs to the same address. Make sure classified mailing is done according to the procedures detailed in DoD Regulation 5200.1, Information Security Program Regulation, and AFI 33-401.

6.2. Write Once, Read Many (WORM) Optical Disks. WORM optical memory may have a remanence problem depending on the recording method. Users can write data to WORM disks once, then cannot alter or remove the data.

6.2.1. Clearing. Sensitive information written to WORM disks can not be cleared. WORM disks retain their highest sensitivity until destroyed.

6.2.2. Sanitizing. Sensitive information written to WORM disks cannot be sanitized;. WORM disks retain their highest classification until destroyed.

6.2.3. Destroying. Destroy this media according to the procedures for read-only optical disks (paragraph 6.1.3).

6.3. Erasable Optical Disks. This is media that you can read from and write to any number of times.

6.3.1. Clearing. Clear this media by overwriting all addressable locations with binary zeros (i.e., 0000 0000) then binary ones (i.e., 1111 1111), then with any random character (i.e., "a"). overwriting all addressable locations with binary 1’s. Verify the clearing process by randomly reading the information. The disk was successfully cleared if you can only read the random character (i.e., "a").

6.3.2. Sanitizing. Sanitizing by overwrite is not considered adequate. Therefore, erasable media cannot be sanitized.

6.3.3. Destroying. Destroy this media according to the procedures for read-only optical disks (paragraph 6.1.3).

Chapter 7

SYSTEM COMPONENTS, PRINTERS, AND OUTPUT MEDIA, AND REMOVABLE MEDIA

7. General. This chapter contains remanence security procedures for numerous AIS components, equipments, and by products including laser printers, printing systems, printer components and by-products (paper, ribbons, platens, etc.), ferro-electric and ferro-optical storage, wafers, chips, packaged circuits, and glass masks.

7.1. Display Devices. Included in this category are CRTs, picture tubes, fluorescent screen devices, and image tubes/displays (e.g., photo-electric, optical, plasma). Consider display devices declassified if, after visual inspection, it is determined that no classified information has been etched into the display. If there is any doubt after inspection of the screen, the display should be highlighted by filling the screen with vectors to create a raster effect to light up the entire screen. Any burns or uneven illuminations of the phosphor coatings that could be considered compromising should be easily detectable. Defective display devices that cannot be sanitized of classified information shall be destroyed as classified waste.

7.2. Ferro-Electric Memory and Ferro-Optical Storage. Clear them by overwriting all addressable locations with any alpha-numeric character. Do not sanitize ferro-electric memory and ferro-optical storage. Downgrade or declassify the information according to AFI 31-401 or the applicable governing security directive. Destruction procedures for ferro-electric memory are in paragraph 5.4.3 and for ferro-optical storage in paragraph 6.17.3.

7.3. Laser Printers/Printing Systems. Laser printers and printing systems present some unique remanence problems because they combine several forms of technology. They may contain a laser printer engine, a central processing unit (CPU), CPU RAM, RAM buffers, PROM, EPROM, EEPROM, hard and floppy disks, optical disks, drum transfer technology, video monitors, etc. Consequently, users must know the components of their laser printer or printing systems and apply appropriate remanence security procedures. Contact your Wing IP Office, MAJCOM IP Office, or HQ AFCA/SYS when you encounter any situation not covered by this instruction. The following guidelines apply specifically to laser printers and printing systems:

NOTES:

1. Clear and sanitize semiconductor memory (RAM, PROM, EPROM, etc.) according to procedures in chapter 5.

2. Unless there is an NSA evaluated or Air Force assessed hardware/software mechanism that prevents writing to the floppy or hard disk, classify and protect the hard disk at the highest classification processed. If the hard disk is not removable, protect the laser printer as required in AFI 31-401 for open storage of classified information. If the hard disk is removable, secure it appropriately when it is not under the control or surveillance of an authorized person. Clearing and sanitizing procedures for floppies and hard disks are in chapter 3.

7.3.1. Clearing. Printers and printing systems that process classified must be located in an area where it is under constant control or surveillance by authorized persons. At the end of each duty day, clear the system. Clear the drum by running three blank copies. If any images are printed, protect the output at the highest classification processed. Repeat the process. If unable to get a clean output, print an unclassified test pattern or black copy; then run three blank copies. If the output is anything other than a blank copy, an image of the unclassified test pattern, or a black copy, protect the printer/system at the highest classification processedwas not successfully cleared. Destroy the clearing copies as classified waste.

7.3.2. Sanitizing. Laser printers use a replaceable toner cartridge with a platen (drum) that may retain classified images. Therefore, all laser printer toner cartridges used to process classified information are considered classified until sanitized and/o or destroyed. Used cartridges must be removed prior to the removal of a laser printer from its controlled environment (e.g., shipment, maintenance). Additionally, used cartridges must be sanitized prior to turn-in for reutilization by refurbishing/remanufacturing. Sanitization procedures are:

7.3.2.1. In the continental United States (including Alaska and Hawaii), used toner cartridges may be treated, handled, stored, and disposed of as unclassified, if, at a minimum, at least five full pages of unclassified, randomly generated text are run through the machine before the cartridge is removed. These pages should not include any blank spaces or solid black areas. Destroy the clearing copies as classified waste.

7.3.2.21. In overseas locations, apply the sanitization measure described in paragraph 7.3.2.1 and score the cartridge platen with an abrasive substance (e.g., sandpaper, etc.), to further reduce the opportunity for image recovery. On the underside of the cartridge there is a slide cover that protects the platen/drum. Slide the cover open to expose the platen, a long cylindrical shaped object covered with a rubbery plastic coating. Lightly sand back and forth across the platen just enough to destroy the surface. Turn the platen using the exposed gear on the end. Continue to sand and turn the platen until the entire surface is destroyed.

7.3.5. Procedures for clearing and sanitizing PROM, EPROM, and EEPROM are in chapter 5.

7.4. Impact Printer Ribbons. Application of the following guidelines will provide protection without incurring undue expense, unnecessarily disrupting operations, or damaging the equipment.

7.4.1. Treat printer ribbons used to print classified information as classified until overwritten at least five consecutive times with unclassified data. Treat a ribbon as unclassified when the printer strikes the ribbon at least five times in the same place before moving to the next position.

7.4.2. Unless the area is approved for open storage of classified information, remove and secure classified printer ribbons during unattended periods (e.g., after duty hours, when positive control cannot be maintained).

7.4.3. Re-ink printer ribbons for additional use if it is economical. Overwrite the ribbon as described in paragraph 7.4.1 prior to releasing it for re-inking.

7.4.4. Remove ribbons before releasing printers to a vendor or DoD property disposal channels.

7.4.5. Destroy ribbons by burning, pulverizing, or chemical means.

7.5. Equipment. If the equipment contains buffer memory, registers, or other storage media, clear them according to the appropriate procedures prior to reuse, transfer, or disposal.

7.6. Paper Materials. Destroy by pulverizing, crosscut shredding, or burning. Pulverized products residue size must not exceed pieces 5 mm. Shredded products residue size must not exceed pieces 3/64 x 1/2 inches. Reduce residue of burned products to white ash.

7.7. Wafers and Chips (unmounted). Destroy by using one of the following:

7.7.1. Brinkman Instruments Model ZM-1 Centrifugal Grinding Mill with 0.12mm pore-size sieve (75 microns or less),

7.7.2. Molten sodium hydroxide (600 ºC), or

7.7.3. Hydrofluoric and nitric acid (HF and HNO3) in 1:1 ratio.

CAUTION: Do this procedure in a well-ventilated area; personnel must wear eye protection.

7.8. Packaged Circuits:

7.8.1. Molten sodium hydroxide (600 ºC) or

7.8.2. Hydrochloric and nitric acid (HCL and HNO3) in 1.5:1 ratio, then HF and HNO3 in 1:1 ratio.

CAUTION: Do this procedure in a well-ventilated area; personnel must wear eye protection.

7.9. Glass Masks:

7.9.1. (Emulsion Glass Masks). Destroy in 5 percent sodium hypochlorite (common household bleach) by total immersion.

7.9.2. Chrome Glass Masks (Chrome). Destroy by smelting at 1040 ºC.

RONALD G. GOESSMAN

Chief, Information Protection Division

[Attachments]

GLOSSARY OF REFERENCES, ABBREVIATIONS, ACRONYMS, AND TERMS

References

DoD Regulation 5200.1, Information Security Program Regulation

AFI 31-401, Information Security Program Management

NCSC-TG-025, Version 2, A Guide to Understanding Data Remanence in Automated Information Systems

NCSC-TG-026, Version 1, A Guide to Writing the Security Features User’s Guide

NSA MANUAL 130-2, Media Declassification and Destruction Manual

Abbreviations and Acronyms

AFC4A Air Force Communications Agency

AFSSI Air Force System Security Instruction

AIS Automated Information System

C4 Command, Control, Communications and Computer

CDROM or CD-ROM Read Only Optical Disks

COMPUSEC Computer Security

COMSEC Communications Security

CPU Central Processing Unit

CRT Cathode Ray Tube

CRYPTO Cryptographic

CSSO Computer Systems Security Officer

DAA Designated Approving Authority

DPL Degausser Products List

EAROM Electronically Alterable ROM

EEPROM Electrically Erasable PROM

EPROM Erasable Programmable Read Only Memory

IP Information Protection

NATO North Atlantic Treaty Organization

NCSC National Computer Security Center

NSA National Security Agency

Oe Oersted

OPR Office of Primary Responsibility

PROM Programmable Read Only Memory

RAM Random Access Memory

ROM Read Only Memory

SAR Special Access Required

SBU Sensitive but Unclassified

SCI Sensitive Compartmented Information

SF Standard Form

SIOP Single Integrated Operational Plan

SRAM Static Random Access Memory

TCB Trusted Computing Base

UVPROM Ultraviolet Programmable Read Only Memory

WORM Write Once, Read Many Optical Disks

Terms

Automated Information System--Any equipment or interconnected system or subsystems orf equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data and includes software, firmware, and hardware. NOTE: The term "AIS" includes stand-alone systems, communications systems, and computer network systems of all sizes, whether digital, analog, or hybrid; associated peripheral devices and software; process control computers; security components; embedded computer systems; communications switching computers; Personal Computers; workstations; microcomputers; intelligent terminals, word processors; automated data processing (ADP) system; office automation systems; application and operating system software; firmware; and other AIS technologies, as developed.

Clearing--Removal of data from an AIS and its storage media in such a way that the data may not be reconstructed using normal system capabilities (i.e., through the keyboard). Note: An AIS need not be disconnected from any external network before clearing takes place. Clearing enables a product to be reused within, but not outside of, a secure facility. It does not produce a declassified product.

Coercive Force--Negative or reverse magnetic force applied to reduce magnetic flux density. For example, the force applied to magnetic media by a degausser.

Coercivity--Amount of applied magnetic field (of opposite polarity) required to reduce magnetic induction to zero. Coercivity is measured in oersteds (Oe). It is often used to represent the relative difficulty of degaussing various magnetic media.

Declassification--Administrative decision or procedure to remove or reduce the security classification of the subject media.

Dedicated Security Mode--AIS security mode of operation wherein each user, with direct or indirect access to the system, its peripherals, remote terminals, or remote hosts, has all the following: 1) valid security clearance for all the information within the system, 2) formal access approval and signed non-disclosure agreements for all the information stored and/or processed (including all compartments, subcompartments, and/or special access programs), 3) valid need-to-know for all information contained within the AIS.

Degauss--Destroy information contained in magnetic media by subjecting that media to high-intensity alternating magnetic fields, following which the magnetic fields slowly decrease.

Degausser--Electrical device or hand-held permanent magnet that can generate a high intensive magnetic field to sanitize magnetic storage media.

Designated Approving Authority (DAA)--Official with the authority to formally assume responsibility for operating an AIS or network within a specified environment.

Dynamic Random Access Memory (DRAM)--A random access data storage method in which the memory cells require periodic electrical refreshing to avoid loss of data held. DRAM that is erasable and reprogrammable. DRAM will lose its contents when the power is removed (volatile memory).

Electrically Erasable Programmable Read-Only Memory (EEPROM)--A special kind of ROM that can be electrically erased and reprogrammed. It can be erased by an electrical signal rather than by exposure to ultraviolet light.

Erasable Programmable Read-Only Memory (EPROM)--ROM that is erasable and reprogrammable. This type of ROM is usually erased off-circuit, usually by exposure to an ultra-violet light source.

Flash--A specific family of EEPROM devices that hold their content without power. It can be erased in fixed blocks rather than single bytes. Block sizes range from 512 bytes up to 256 kB.

Information--Data derived from observing phenomena and the instructions required to convert that data into meaningful information. NOTE: Includes operating system information such as system parameter settings, password files, audit data, etc.

Level-of-Protection--Established safeguards with controls to counter threats and vulnerabilities based on the security requirements. Assures availability, integrity, and confidentiality of the C4 system.

Magnetic Media--Media used to store computer data using magnetic force. There are currently three types of magnetic media. They are defined based on their coercivity as: (1) Type I: Media whose coercivity is no greater that 350 Oe. (2) Type II: Media whose coercivity lies in the range of 351 to 750 Oe. (3) Type III: Media whose coercivity is 751 Oe or higher.

Magnetic Oxide--Surface coating (iron oxide) employed on magnetic media. It is sensitive to magnetic forces and allows the media to retain data in the form of discreet magnetizations.

Magnetic Remanence--Magnetic representation of residual information that remains on a magnetic medium after the magnetizing force is removed.

Object Reuse--Reassignment of a storage medium (e.g., page from, disk sector, magnetic tape) that contained one or more objects, after making sure no residual data remained on the storage medium.

Oersted--The unit of measure of the magnetizing force necessary to produce a desired magnetic flux across a surface.

Overwriting Cycle--An overwrite program writes to every addressable location (including bad sectors, file allocation tables, the space between the end of file and the end of a sector or block, etc.) on the media for the number of consecutive cycles necessary for that storage medium. Note: An example of an overwrite cycle is writing a binary zero (i.e., 0000 0000) to each location (byte), then writing its complement binary one ( i.e., 1111 1111). At the end of the required number of cycles, an alphabetic character (such as "a") should be written to each location.

PC Card--A memory or Input/output card claiming compatibility with the PCMCIA card standards. These devices carry out PCMCIA functions requiring Memory, I/O, and/or IRQ resources.

Personal Computer Memory Card International Association (PCMCIA)--The organization of marketing and engineering professionals that defines the architecture of PCMCIA. Also used to refer to the technology.

Periods Processing--Processing of various levels of classified and unclassified information at distinctly different times. NOTE: Under periods processing, the AIS (operating in dedicated security mode) is cleared or sanitized (as appropriate) afterof all information from one processing period before transitioning to the next when there are different users with different authorizations.

Programmable Read-Only Memory--ROM that can be programmed (written to) once, but not reprogrammed.

Purging--The removal of data from an AIS and its storage media in such a way as to provide assurance that the data is unrecoverable by technical means. Purging is the first step in removing classification from media. The other two steps are review of the media, and administrative removal of security classification markings and controls. (See clearing)

Residue--Data left in storage after automated information processing operations are complete, but before degaussing or overwriting has taken place.

Retention Properties--Data left in storage after degaussing or overwriting has taken place.

Random Access Memory (RAM)--The general category of all storage media whose power must remain constant in order to maintain its contents.

Read-Only Memory (ROM)--Memory unit in which instructions or data isare permanently stored for use by the machine or for reference by the user. The stored information is read out non-destructivelynondestructively, and no information can subsequently be written into the memory.

Sensitive Information (SI)--Information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of Federal programs, or the privacy to which individuals are entitled under Title 5, United States Code, Section 552a (the Privacy Act), but not specifically authorized under the criteria established by an executive order or an act of Congress keeping it secret in the interest of national defense or foreign policy. NOTE: Protect systems that are not national security systems, but contain sensitive information according to the requirements of the Computer Security Act of 1987 (P.L. 100-235).

Sanitizing--the removal of information from AIS storage media such that data recovery using known techniques or analysis is prevented. Sanitizing includes the removal of data from the media (purging), verification of the purging action, and removal of all classification labels and markings. Properly sanitized media may be subsequently declassified upon observing the organization’s respective verification and review procedures.

Static Random Access Memory (SRAM)--A type of RAM that can be sustained with a battery.

Storage Media--Material used to store data, such as tape reels and floppy diskettes.

Type I Degausser--Equipment rated to degauss magnetic media having a nominal coercivity of 350 oersteds or less.

Type II Degausser--Equipment rated to degauss magnetic media having a nominal coercivity of 750 oersteds or less.

Type II Extended Range Degausser--Equipment rated to degauss magnetic media having a nominal coercivity of 900 oersteds or less.

Type III Degausser--Equipment rated to degauss magnetic media having a nominal coercivity of 1700 oersteds or less.

RISK DETERMINATION

A2.1. Risk Awareness. Air Force policy is to safeguard sensitive data, no matter what the storage or transmittal mediaum. Safeguarding sensitive information in computer memory and storage media is particularly important during routine maintenance, product end of life, and reuse. Computer security personnel, operations personnel, and other responsible persons must be aware of the risk factors before sanitizing purging AIS storage media and releasing them from the controlled environment. Computer system security officers (CSSOs) must allow only authorized and properly cleared persons access to computer storage containing sensitive information to ensure that sensitive information is not compromised. The CSSO should anticipate and plan for temporary or outright release of storage media or entire systems containing storage media. A history of the use and maintenance of the system and its components can provide evidence on which to base security determinations.

A2.2. Risk Considerations. When determining risk, consider the following two basic threats to computer stored data:

A2.2.1. Keyboard Attack. Keyboard attacks use system resources and utilities to extract information. You can defeat keyboard attacks by clearing the system or storage media to make information unusable to a subject using normal system capabilities.

A2.2.2. Laboratory Attack. Laboratory attacks use sophisticated signal recovery equipment on specific system components in a laboratory environment to recover stored information. Defeat laboratory attacks by purging the information from the system or storage media, leaving it unrecoverable to a level commensurate with its sensitivity. Purging is especially important during maintenance (whether routine or otherwise). Purge information and remove the classification from the device before allowing maintenance by uncleared personnel. If this is not possible and destroying the device is prohibitively expensive, an individual knowledgeable of possible improper actions must observe the maintenance. For example, when a sensitive disk drive is serviced, the observer should ensure that the maintenance person does not walk off with a system board or an unpurged disk.

A2.3. Risk Assessment. When assessing the risk of releasing AIS storage media from the secure environment, the CSSO must develop procedures that would result in an acceptable level of risk. At a minimum, consider the following threats:

A2.3.1. Compromise while moving from one site to another.

A2.3.2. Releasing classified (unsanitized) storage media for replacement or repair unless the repair agency has personnel and facilities with proper clearances.

A2.3.3. Returning classified storage media to a vendor. A storage unit returned to a vendor’s inventory could wind up with any computer system user, foreign or domestic government, commercial, or civilian.

A2.3.4. Allowing temporary use of classified systems by uncleared personnel.

A2.3.5. Contracts requiring the return of leased equipment containing AIS storage media to the vendor. Before leasing, determine if the vendor will allow purging or removing AIS storage media before returning the equipment. If the lease requires the vendor to remove magnetic storage media, closely supervise any uncleared vendor personnel. The CSSO should brief escorts on their responsibilities while escorting uncleared maintenance personnel. Document specific escort responsibilities in a local directive.

A2.4. Risk Assessment Factors. The CSSO must assess the risks before deciding whether to purge, remove classification and release storage media; clear, retain and reuse them; or destroy them. They should consider the following and any other pertinent information before deciding:

A2.4.1. What percentage of the total data stored is sensitive?

A2.4.2. Is the sensitive data scattered or predictably located and concentrated in the storage device?

A2.4.3. How frequently is the data changed or relocated in the storage device?

A2.4.4. Are some combinations of the application program, data, or system software more sensitive than others? If the system software, application programs, and data are not equally sensitive, concern about the relocation and term of residence would vary accordingly.

A2.4.5. How much compromise results if a segment on a storage device is not receptive to purging? (Distribution or fragmentation of the data may make it meaningless.)

A2.4.6. A storage device with a history of mechanical faults (such as misalignment of read and write heads) may reduce the effectiveness of thean overwrite procedure.

A2.4.7. Tracks or sectors that become bad during the operation of a drum or disk may lose their overwrite capability. To what extent might those tracks or sectors retain sensitive information?

A2.4.8. To what extent do maintenance and diagnostic programs or other utility programs provide the capability to dump, review, or overwrite memory and other storage media?

A2.4.9. To what extent do multiple user system memory allocation procedures prevent a new user from acquiring a previous user’s data? This is important to prevent accidental access during normal use or if a system malfunction requires full memory reload.

A2.4.10. What is the destination of the released storage media? The risk of compromise increases when releasing storage media outside the controlled environment. Sophisticated signal recovery methods may recover data from the media.

A2.4.11. The area between the end of file and the end of a block or sector on a disk may contain classified information from previous files that were larger. This information is recoverable and difficult to overwrite.

A2.4.12. The failure of degaussing equipment could result in all or most of the data remaining on the magnetic media.

A2.5. Minimizing Risk. The risk of compromise to electronically stored information is impossible to eliminate. Therefore, the DAA must ensure that the risk is at an acceptable level. Laboratory attacks against storage media are expensive and time consuming. By developing and using good security procedures, staying aware of the threats to computer storage, and not allowing the identification and targeting of sensitive storage media, we can substantially reduce the risk of information recovery through laboratory attack. The risk is significantly increased if the storage device is targetable by a hostile intelligence activity, for example:

A2.5.1. Is the storage device unique or is it commonly used by many users at different classification and sensitivity levels?

A2.5.2. Is it easily identifiable as a device that contains or once contained sensitive information (that is, sensitivity labels)?

A2.5.3. Is it easy to determine the office, unit, or location where it was used?

A2.5.4. Can you determine the sensitivity of the information it contains or contained?

A2.6. Determining Acceptable Risk. The DAA and CSSO must determine what is an acceptable risk in each case. They should consider the full range of vulnerabilities and security implications to include: the actual loss if an unauthorized entity extracts the residual information; the threat directed against this information; and is the threat of recovery and the potential for damage, if the information is compromised, great enough to justify the cost of the protection? The actual loss may be considerably less than the classification level would imply due to conditions, such as:

A2.6.1. Initial overclassification or perishability.

A2.6.2. Fragmentation or distribution of the data that leaves it unintelligible or partially so

A2.6.3. Procedures that may allow downgrading, such as deleting, disassociating, or modifying the information.

NOMINAL COERCIVITY OF VARIOUS STORAGE MEDIA

Table A3.1 contains the nominal coercivity for the kinds and brands of magnetic media listed. It is a compilation of the information available to HQ AFCA/SYSS, Systems Security Protection Branch, at the time of publication and is not all inclusive. It is intended to aid you in determining your degaussing requirements. The guidance given in the notes column is valid for that storage medium.

Table A3.1. NOMINAL COERCIVITY FOR VARIOUS STORAGE MEDIA.

NOTES:

1. Type I Media

2. Type II Media

3. Above Type II Media

4. Degauss with Type I degausser

5. Degauss with Type II degausser

6. Degauss with Type II extended degausser

7. Degauss with Type III degausser

8. May also be cleared or purged by overwriting

X. May not be degaussed

DEGAUSSERS

A4.1. Use of Approved Degaussers.

A4.1.1. Use only National Security Agency (NSA) evaluated degaussers to degauss all magnetic media containing classified information. Place special emphasis on degaussers used for media containing more sensitive information, such as Top Secret, SIOP, intelligence, or compartmented information. Except for magnetic computer disks, which are Type-independent, be sure to use the appropriate Type degausser for the media to be degaussed. When degaussing, observe the following rules:

A4.1.1.1. Type I degaussers can only degauss Type I media. Type I degaussers cannot degauss Type II or Type III media; this includes any media with a nominal coercivity of greater than 350 oersteds. not degauss Type II media and media that is above Type II is not purgeable by degaussing.

A4.1.1.2. Type II degaussers can only degauss Type I or Type II media. Type II degaussers cannot degauss Type III; this includes any media with a nominal coercivity of greater than 750 oersteds.

A4.1.1.3. Type II extended degaussers can only degauss Type I and Type II media, or Type III media with a nominal coercivity of 900 oersteds or less. Type II extended degaussers cannot degauss Type III media with a nominal coercivity of greater than 900 oersteds.

A4.1.1.4. Type III degaussers can degauss Type I, Type II, or Type III media with a nominal coercivity of 1700 oersteds or less.

A4.1.2. The Information Systems Security Products and Services Catalog, Degausser Products List (DPL), contains degaussers evaluated against either the National Security Agency (NSA) Specification L14-4-75, or the later version, L14-4-A. Both magnetic tape degausser specifications include the applicable federal specifications and military standards. The Information Systems Security Products and Services Catalog is available from the Government Printing Office.

A4.1.3. The DPL requires that degausser products be tested to ensure continued compliance with the specification. Correct testing of degaussers is performed through a degausser certification process which tests the degausser’s erasure level per the specifications set forth in NSA/CSS L14-4-A. NSA requires that certifications be performed every 6 months for the first year of operation after which they should be performed on a regular basis not to exceed 18 months. These certifications must be performed to ensure the degaussing equipment is functioning properly.

A4.2. Non-evaluated In-Use Degaussers. Continue to use non-evaluated in-use degaussers to clear Type I media. Use of these degaussers to purge Type I media requires written approval from the cognizant DAA. Advise the DAA of the kind of degausser (for example, fixed, paddle, bar permanent magnet, electromagnet), brand, model, serial number, field strength(include the method used to determine the field strength), and the highest classification being degaussed. The DAA will not approve a non-evaluated degausser for use on Type II magnetic computer or video tape, but may approve it to purge Type I media and any magnetic computer disks if it meets the following minimum criterions:

A4.2.1. The degausser must have a minimum field strength of 1500 oersteds at the degaussing platform. Measure the field strength with a gauss meter.

A4.2.2. If measurement of field strength is not possible, manufacturer’s specifications must state that the minimum field strength is at least 1500 oersteds..

NOTE: The DAA must exercise caution when approving degaussers that are not formally evaluated for purging media. This is especially true for media containing more sensitive information, such as Top Secret or SAR, or information controlled by other agency rules, such as SIOP, compartmented, intelligence, and NATO. There is a risk that degaussers not formally evaluated may not completely purge data from the media.

A4.3. Replacement of Non-evaluated Degaussers. Users should initiate action to replace or augment non-evaluated degaussers with degaussers listed on the DPL.

A4.4. Procurement and Use of Degaussers. Procure only degaussers listed on the DPL. If you cannot get an evaluated degausser and must buy a non-evaluated degausser, your DAA must approve its purchase. Test the proposed degausser under NSA/CSS Specification L14-4-A, Magnetic Tape Degausser, dated 31 October 1985 (or superseding specifications). Data supporting the request must include all of the information listed in paragraph A94.2., the testing agency, test results, and a statement telling why an evaluated degausser is not adequate or available. Degaussers not listed on the DPL, or not yet formally evaluated under NSA/CSS Specification L14-4-A are not approved for use with Type II magnetic computer or video tape.

A4.5. Malfunctioning Degaussers. The degausser owner should immediately contact the degausser vendor or a degausser repair service any time the degausser is suspected of not performing properly. After repair, certify that the degausser operates within the limits established by NSA/CSS Specification L14-4-A before using it to degauss classified media. If unable to locate a source for this certification, contact HQ AFCA/SYS.

DAA GUIDE TO SANITIZING CONTAMINATED SYSTEMS/NETWORKS

A5. General. The information provided in this attachment is not policy. It is intended to assist DAAs in making sound decisions quickly after information of a higher classification inadvertently contaminates their system or network. The DAA should also consult attachment 52 before making the decision on how to proceed with sanitizing the affected system(s).

A5.1. Determining What and How to Purge. Network AISs may not (in the DAA’s eyes) always require total purging after contamination. The DAA should evaluate each case individually and take appropriate corrective action commensurate with the sensitivity of the data, system vulnerabilities and risk (see attachment 52), and any possible adverse impact. Then, the DAA, in conjunction with the data owner, may elect to accept the risk associated with a partial or limited sanitization. In the following charts, we provide the DAA with three sanitization options: complete, partial, and limited. A limited sanitize involves purgsanitizing only those systems or memory locations where the contaminating information was written or suspected to have been written. In addition, sanitize the "clear" or temporary work space on the system(s). When additional assurance is required, perform a partial sanitization by purging the affected system(s). See warnings:

WARNING: The DAA must understand that they are personally responsible for the acceptance of risk of compromise due to performing a limited purgesanitize versus a complete purgesanitize.

WARNING: On networked systems, make sure hard drives on connected systems are checked. Many times, especially with electronic mail, users will place a copy of documents on their system’s disk for future reference.

Table A5.1. Sanitization Options and Impacts.

A5.2. Decision Table. Table A5.1 shows some of the impacts and issues that a DAA must consider before selecting a course of action. In addition, Table A5.2 provides a DAA with a methodology for determining what sanitization option is best. As indicated, a limited sanitization should rarely, if ever, be used. The partial sanitization option, however, provides a more acceptable balance between risk of compromise and the cost, effort, and adverse impact on the mission. Using table A5.2, a partial sanitization is indicated if conditions 1-4 and 8-10 are met. A limited sanitization requires all conditions to be met.

Table A5.2. Determination of Sanitization Types.

 Conversion to HTML by Cryptome.