CIT Introduces a Sanitization Service for Data Storage Media

Before you toss your old CDs and DVDs into the nearest trash can, or take an old hard-drive to a dumpster, consider the type of information these items hold. Electronic storage media related to federal information systems and the information processed, stored, and transmitted by those systems cannot be disposed of so casually. Even erasing and reformatting a disk does not permanently remove the data. Magnetic media that cannot be erased using an approved repeated-overwrite operation must be degaussed to completely erase data prior to recycling, reusing, donating, or disposal of the storage media. For optical media, such as CDs and DVDs, destruction is the only safe bet.

As part of its commitment to data security, CIT is offering a new Media Sanitization Service through the NIH Data Center for the secure disposal of information storage media. These include CDs, DVDs, tapes (except for the old round mainframe tapes) and disk media (e.g., hard drives and floppy disks). The NIH Data Center Media Sanitization Service is available to NIH, HHS, and other federal agencies.

Why is this service necessary?

In response to today's data security issues, the National Institute of Standards and Technology (NIST) issued the Federal Information Processing Standards Publication (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems. These standards require that organizations sanitize information system media, both digital and non-digital, prior to disposal or release for reuse. Based on the NIST publication, NIH issued the NIH Sanitization Guide (Word doc) which provides guidance, definitions, and procedures needed to satisfy the FIPS 200 requirement.

The CIT Sanitization Service meets the minimum sanitization requirements and risk levels according to NIST FIPS and SP as well as the NIH Sanitization Guide.

What is degaussing?

When data is stored in magnetic media (i.e. hard drives and magnetic tape), very small areas called magnetic domains change their magnetic alignment to be in the direction of an applied magnetic field. This is similar to a compass needle pointing in the direction of the earth’s magnetic field. Degaussing, commonly called erasure, leaves the domains in random patterns with no preference to orientation, thereby rendering previous data unrecoverable. There are some domains whose magnetic alignment is not randomized after degaussing. The information these domains represent is called magnetic remanence. Proper degaussing ensures there is insufficient magnetic remanence to reconstruct the data.

Benefits of the CIT Media Sanitization Service

CIT’s Media Sanitization Service offers the following key benefits:

• Reduces the risk of data exposure (increasing data security)
  • Degaussing uses a magnetic field to corrupt and render the data unreadable and unrecoverable. Remember, even when you delete and reformat files on a drive, the storage media still retains some data.
  • Storage media placed in a trash can or empty office area can easily be taken by anyone, causing security and inventory issues.

• Meets security requirements
  • With the use of NSA-approved degaussing products, the CIT service meets the minimum sanitization requirements and risk levels according to NIST FIPS and SP as well as the NIH Sanitization Guide.
  • All sanitized data storage media meets the same erasure requirements issued for classified or sensitive data by the NSA Central Security Service.

• Minimizes environmental risks
  • Disposing of obsolete information storage media by placing it in the trash is bad for the environment. As part of the degaussing service, if customers do not want their degaussed media back, CIT will coordinate with the NIH Office of Research Facilities, Division of Environmental Protection for recycling.

• Reduces Costs
  • CIT’s price for this service is lower than that of commercial vendors.
  • Certain types of sanitized data storage media (e.g., tapes) can be returned to the customer for reuse, saving our customers additional money.

Our equipment

CIT's degaussing device and optical media destruction equipment is NSA- and DOD-certified and stored in our highly secure NIH Data Center. The equipment sanitizes data from the following data storage media:

• Hard disk drives -- up to 3.5" diameter and 1.6" high


• Hard disks up to 5300 Oersted


• Tapes up to 2600 Oersted


• Removable magnetic disks


• Floppy disks


• Tapes up to 1/2" wide (type 3480)


• Other tapes -- DLT, LTO, QIC, DAT, 8mm, TRAVAN, and AIT tapes


• CDs and DVDs

Note: Hard disk drives are rendered permanently unusable by the sanitization equipment and should be submitted for the sanitization service only if they are no longer needed, are technically obsolete, or have already been damaged. Other magnetic media (e.g., tapes) can be reused but may require reformatting.</font>

What about disposal of the sanitized media?

If customers do not want their sanitized data storage media back, CIT will coordinate with the NIH Office of Research Facilities, Division of Environmental Protection (DEP) to recycle these media. DEP recently initiated a new recycling program to process "techno trash" including decommissioned hard drives, DVDs, CDs, floppy disks and discarded software disks.

Charges

As a fee-for-service offering, CIT charges will be as follows:

Media Sanitization Service	FY 2008 Rate
Tapes and hard drives (per item)	$2.56
CDs/DVDs/Diskettes (per 1/2 pound)	$4.00

The current charges for services provided by the NIH Data Center are listed on the CIT Rates page.

How to request this service

To use the media sanitization service do the following:

• Submit an Online Service Request through the NIH Help Desk with "Media Sanitization" in the description of the service request.


• Complete the media sanitization request form by going to: http://cit.nih.gov/ProductsAndServices/ApplicationHosting/DataCenterSecurity.htm and clicking on "Request for Media Sanitization."


• Fill out the form online (in the PDF) and then print it out. The form cannot be submitted online and must be printed out to be signed. Be sure to have it signed by your Administrative Officer.


• Fax the signed form to CIT at 301-402-3529.

Our staff will then contact you to schedule an appointment. At that time, bring the media to building 12A, room 1007. For most jobs of 10 units or less, the work can be completed while you wait. If the sanitization job cannot be completed immediately, CIT will contact you when it is finished. You may then retrieve the media from CIT or have CIT dispose of the media.

All customers will be responsible for transporting the storage media to and from the NIH Data Center.

More information

Further information on this service and the request form can be found by going to http://cit.nih.gov/ProductsAndServices/ApplicationHosting/DataCenterSecurity.htm and selecting the link "Request for Media Sanitization." Contact the NIH Help Desk at 301-496-4357, 866-319-4357 (toll free), or 301-496-8294 (TTY) or via web at http://ithelpdesk.nih.gov

Note: To view the Word document linked above if you do not have Word installed, you can download Microsoft's Word Viewer.