What Does NIST 800-53 Say About Media Sanitization?
U.S. federal NIST publication 800-53 was written to decrease data vulnerabilities in information systems and organizations. So what does it have to say about data sanitization in general, and data erasure specifically?
Media Sanitization Recommendations for US Federal Information Systems
The U.S. National Institute of Standards and Technology (NIST) develops information security standards and guidelines, including minimum requirements for federal information systems.
The guidelines in NIST 800-53, “Security and Privacy Controls for Information Systems and Organizations” were developed in collaboration with industry, government, and academic organizations to decrease vulnerabilities to data threats and risks, “including hostile attacks, human errors, natural disasters, structural failures, foreign intelligence entities, and privacy risks.”
To help reduce these risks, NIST 800-53 embeds this standard definition of data sanitization:
Data sanitization is the process of irreversibly removing or destroying data stored on a memory device (e.g., hard drives, flash memory/solid state drives, mobile devices, CDs, and DVDs) or in hard copy form.
Both private and public sector organizations will often use certified data erasure software to achieve data sanitization, removing data and protecting it from unauthorized access after the data is no longer needed.
The evolution of media storage and use in organizations has grown exponentially and will continue to be a component of federal information systems. Media storage has many vulnerabilities, which has necessitated recommendations for which sanitization methods to employ and when sanitization should be performed.
NIST 800-53 recommends media sanitization prior to:
Recommended by LinkedIn
What NIST Says About Media Sanitization
NIST Clear and Purge, outlined in another NIST publication (NIST 800-88), are categories of data sanitization (sometimes referred to as data “wiping”) that have become commercial standards used to sanitize many different types of media. Digital media can include hard disk drives (HDDs), solid-state drives (SSDs), mobile devices, USBs, optical media, and more.
The recommendation to wipe data prior to disposal is not a new suggestion—NIST 800-88 has included data erasure as a sanitization option since 2006. Today, an increased concern for security has caused the recommendation of sanitization on devices when they are released from organizational control and reuse.
HIPAA and other regulations have made all parties liable when there is a data breach. This has initiated the need for erasure in-house before IT assets are transferred to an ITAD, third-party service provider, leasing agency, or other entity.
Even when reusing media within an organization, there is a chance of a data spill or breach. When a computer is reassigned to another employee in the same organization, there is a possibility that data on the device remains and is at risk. NIST 800-53 recommends these devices are wiped prior to reassignment.
The stages in the IT asset lifecycle when a device is recommended for a NIST data erasure are increasing and will continue to be required at different points in an asset’s lifespan.