NIST SP Rev. 1. Guidelines for Media Sanitization. Executive Summary. The modern storage environment is rapidly evolving. Data . Supersedes: SP (September ). Author(s). Richard Kissel (NIST), Andrew Regenscheid (NIST), Matthew Scholl (NIST), Kevin Stine (NIST). Summary of NIST Special Publication Guidelines for Media Sanitization. Recommendations of the National. Institute of Standards and Technology.

Nist Sp 800 88 Rev1 Pdf

Language:English, Portuguese, German
Published (Last):14.12.2015
ePub File Size:17.37 MB
PDF File Size:17.72 MB
Distribution:Free* [*Register to download]
Uploaded by: GINNY

SP Rev. 1. Guidelines for Media Sanitization. Full Text: PDF . Security Publications from the National Institute of Standards and Technology (NIST). In December , the guidelines were revised, making the current version “ NIST Special Publication Rev. 1” (“NIST SP NIST Special Publication was sponsored by the Homeland Security Department. Media Download the entire NIST SP PDF (9/ Rev 1).

To support these efforts and to move towards greater uniformity, the Federal Acquisition Regulatory Council will amend the Federal Acquisition Regulation FAR to provide for inclusion of contract clauses that address, as appropriate, the guidance covered in sections below in Federal procurement solicitations and contracts.

Security Controls For systems operated on behalf of the Government, the agency must require the contractor system to meet the appropriate baseline in NIST SP as modified by the agency to meet its risk management requirements.

For CUI, the moderate baseline for confidentiality should be applied and adjusted for any specific protection requirements required by law, regulation, or government wide policy. When the contractor is operating the system to process data from more than one agency, or when there are non-government customers e. At a minimum, agency contractual language regarding incident reporting shall include the following: Language to indicate that a cyber incident that is properly reported by the contractor shall not, but itself, be interpreted as evidence that the contractor has failed to provide adequate information safeguards for CUI; The definition of what constitutes a cyber incident; The required timeline for first reporting to the agency; The types of information required in a cyber incident report to include: company and point of contact information, contract information, the type of information compromised; The contractor shall send only one report to each agency POC identified in the contracts, not a report for each contract from that agency.

The report may contain information required by other agencies, so one report may satisfy the requirements of multiple agencies; and Specific government remedies if a contractor fails to report according to the agreed upon contractual language.

The specific requirements included in the contractual language shall be based on Federal law, OMB policies, NIST standards and guidelines, and other applicable standards and policies.

This approach to reporting will promote timely and meaningful information sharing that allows both the contractor and the agency to work closely together to investigate the incident, identify affected individuals, quickly respond to the incident and take other appropriate actions as necessary.

In determining the appropriate timeline and reporting information, agencies shall comply with Federal law, relevant OMB policies, and NIST standards and guidelines. At a minimum, contractual language shall ensure that all known or suspected cyber incidents involving the loss of confidentiality, integrity or availability of data for systems operated on behalf of the Government are reported to the designated agency Computer Security Incident Response Team CSIRT or Security Operations Center SOC within the timeline agreed upon in the contract.

All known cyber incidents in contractor internal systems must be reported if they involve the CUI in the system, but the contractor does not have to report all known or suspected cyber incidents. Finally, many contractors operating in the commercial marketplace already receive a variety of independent assessments to protect other data and these should inform an ATO process that meets NIST standards and guidelines.

What is NIST 800-88, and What Does “Media Sanitization” Really Mean?

Security assessments not only confirm that contractors are maintaining their security posture; they also allow the agency to validate the maintenance of the previously performed independent assessment. Access shall be provided to the extent required to conduct an inspection, evaluation, investigation or audit and to preserve evidence of information security incidents. Finally, agencies should include contract language requiring that, prior to contract closeout, the contractor must: Certify and confirm the sanitization of government and government-activity-related files and information; and Submit the certification to the Contracting Contracting Officer following the template provided in NIST SP Guidelines for Media Sanitization.

To the extent that a contractor generated, maintained, transmitted, stored, or processed PII, the SAOP should review the certification. Agencies should identify in the contract solicitation how they expect the contractor to demonstrate in its proposal that it meets the requirements of NIST SP , including the security assessment for contractor internal systems.

If the agency determines that providing the DHS CDM capabilities to a contractor operating information systems on behalf of the Government is not feasible, the contract must ensure that at a minimum: Contractor-operated systems meet or exceed the information security continuous monitoring requirements identified in M; and The agency may elect to perform information security continuous monitoring and IT security scanning of contractor systems with tools and infrastructure of its choosing.

While existing contracts may direct the contractor to self-report required ISCM information to the agency, this approach may no longer be sufficient. Agencies and contractors must therefore work together to determine and implement an appropriate solution that fulfills the ISCM requirements.

Business Due Diligence Cybersecurity protections in Federal acquisitions can be further enhanced by performing increased business due diligence to gain better visibility into, and understanding of, how contractors develop, integrate, and deploy their products, services, and solutions as well as how they assure integrity, security, resilience, and quality in their operations. GSA has been working with agencies to explore and pilot the use of public records, publicly available, and commercial subscription data to support business due diligence analyses.

Such analyses are consistent with the guidelines in NIST SP , Supply Chain Risk Management Practices for Federal Information Systems and Organizations, which calls for agencies to frame, assess, respond to, and monitor information and information system-related security and supply chain risks using a holistic, organization-wide risk management process. Accordingly: Agency program offices shall work with their CIOs to identify and prioritize planned acquisitions and contracts that can benefit from business due diligence research; Building on the work it has done to date, GSA shall create a business due diligence information shared service.

This shared service will provide agencies with access to risk information that encompasses data collected from voluntary contractor reporting, public records, publically available and commercial subscription data based on transparent, objective, and measurable risk indicators; GSA shall make research tools available for these purposes for use by agencies throughout the acquisition, sustainment, and disposal lifecycles.

These efforts shall be complementary to, and not a replacement for, existing government supply chain risk management activities that agencies conduct; and Within 90 days of the issuance of this memorandum, the interagency cybersecurity group established by the CIO and CAO Councils shall work with GSA to identify and make recommendations to the Federal CIO and the Administrator for Federal Procurement Policy on risk indicators that should be used as a baseline for business due diligence research and other core requirements for the shared service.

Of interest in many of these tables are new hyperlinked references to the revised Verification section, which clearly reflects an increase in emphasis on this component. That brings us smartly to significantly expanded section 4.

In the brand new subsection 4.

The core of subsection 4. Selection of locations across addressable space, choosing a large enough number of media subsections so that the media is well covered.

Section 4. A new sample certification form reflecting these additions is included in Appendix G of the document. However, unlike the new verification guidelines, the items listed on the certificate would usually be provided by an asset tracking system. The additions to sections 4. However, NIST is not in the business of specifying how practitioners are supposed to go about implementing these guidelines and it has no say in their enforcement.

With these new recommendations on the record, the steps for implementation are already underway.

First, the certification agencies must interpret and adapt the revisions for their programs, and then the professionals at the end of the line need to figure out how to make it all work in the real world while remaining compliant. Certifying Organizations Since the Sept draft of SP Revision 1, several certifying bodies appear to have re-evaluated or upgraded their requirements for media sanitization. To one degree or another, all of these upgrades reflect a new focus on the verification and documentation component, if only by default.

This document references quality control and redundant verification sampling.

In addition, the quality control software is required to be different than the sanitization software. This document also contains the fundamental principle that personnel performing quality control should not be the same as those who performed the sanitization. For its part, e-Stewards has released the second edition 2. Although e-Stewards indicates that further clarification is to follow down the road, they leave as the prevailing guidelines for the broad spectrum of media sanitization, including verification.

Data Sanitization Guidelines

This clarification was issued by Basel Action Network in March of Broadly speaking, a refurbisher must demonstrate that they have the operational framework to conform to NIST plus e-Stewards performance requirements, and they must have an information system that confirms conformance i.

Under 3. It also renders the media incapable of storing data afterward. These can be necessary for drives that are already beyond all possible use or standard overwriting methods because of physical damage.

That said, Purge and Clear, where applicable may be more appropriate than Destroy in many cases. Not only does it contribute to environmental waste, it lessens the lifespans of information technology storage devices.

These devices can often be used by other departments within the original organization, or even donated or sold to organizations with less stringent performance needs. There can also be difficulties in physically destroying some types of media, whether because of the particle size needed to effectively make all data irretrievable, the expense, or other factors. For these reasons, Blancco recommends considering Purge and Clear whenever these options are supported and it makes business sense to do so.

There are also instances, for highly protective data, where Purge and Destroy are used together to provide extra peace of mind against any form of data recovery. The Guidelines offer Clear, Purge and Destroy as valid options for sanitization based on the confidentiality requirements of the data rather than the storage technology on which the data resides. The NIST document goes into details for each method for various media configurations and situations, including how these apply to cryptographic erasure.

The linchpin, however—the attribute that provides confidence that data has been sufficiently sanitized and that organizational information is securely and permanently removed—is verification.

Two types of verification should be considered. The first is verification every time sanitization is applied…The second is a representative sampling verification, applied to a selected subset of the media. If possible, the sampling should be executed by personnel who were not part of the original sanitization action.

Yet, erasure may not be complete if the process does not consider and handle areas that are defective, unallocated or not mapped to active Logical Block Addressing LBA addresses. Dedicated sanitization methods may make up the difference, but confirmation can depend on vendor statements.

For non-magnetic media, other attributes of those media can make it difficult to know if the data deletion methods applied were truly effective. To make this verification process more efficient, Blancco can automate these verification processes according to user preference.

Without it, inadequate sanitization methods could be implemented in earnest and still leave organizational data vulnerable and exposed. Conducting the exercise of eradicating data through Clear, Purge, or Destroy mechanisms does not, in isolation, adequately meet audit-proof sanitization standards.

The equipment used does it operate correctly and produce accurate information? Finally, proof of NIST sanitization comes in the form of a detailed certificate for each piece of electronic media that has been sanitized. This certificate can be printed or electronic, but it is a critical element that validates that data has been rendered irretrievable from the media that has been sanitized.

Data Sanitization

It typically lists each storage device by serial number. A proper certificate also describes the type of sanitization i. For any organization that must prove compliance with data security regulations and guidelines including NIST , including heavily regulated industries , an auditable certificate is necessary. Without this certificate, NIST sanitization is neither complete nor guaranteed.These bottlenecks are related to software, hardware and personnel.

OMB will review compliance during FedStat and CyberStat sessions, including: Agency continual review of contract activities to ensure that the guidance in this proposed memorandum is applied. Purge applies physical or logical techniques that render target data recovery infeasible using state-of-the-art laboratory techniques.

Please note that after the process is completed, all of your personal content will disappear. Hard drives were still mostly being thrown away, warehoused without a plan, or destroyed physically; the concept of care, custody and control was still in its infancy for most IT departments. This clarification was issued by Basel Action Network in March of Broadly speaking, a refurbisher must demonstrate that they have the operational framework to conform to NIST plus e-Stewards performance requirements, and they must have an information system that confirms conformance i.

Federal government, and its adoption has spread to countless private businesses and organizations.