Information Management

Cybersecurity: Sanitization of Media

By Order of the Secretary of the Army:

MARK A. MILLEY
General, United States Army
Chief of Staff

Official:

KATHLEEN S. MILLER
Administrative Assistant
to the Secretary of the Army

History. This publication is an administrative revision. The portions affected by this administrative revision are listed in the summary of change.

Summary. This pamphlet provides implementation guidance for the sanitization

and disposal of electronic storage media and information technology equipment except for standard hard drives that are addressed in a separate Department of the Army pamphlet.

Applicability. This pamphlet applies to the Regular Army, the Army National Guard/Army National Guard of the United States, and the U.S. Army Reserve, unless otherwise stated.

Proponent and exception authority. The proponent for this pamphlet is the Deputy Chief of Staff, G-6. The proponent has the authority to approve exceptions or waivers to this pamphlet that are consistent with controlling law and regulations. The proponent may delegate this approval authority, in writing, to a division chief within the proponent agency or its direct reporting unit or field operating agency, in the grade of colonel or the civilian equivalent. Activities may request a waiver to this pamphlet

by providing justification that includes a full analysis of the expected benefits and must include formal review by the activity's senior legal officer. All waiver requests will be endorsed by the commander or senior leader of the requesting activity and forwarded through their higher headquarters to the policy proponent. Refer to AR 25-30 for specific guidance.

Suggested improvements. Users are invited to send comments and suggested improvements on DA FormDA FormDepartment of the Army form 2028 (Recommended Changes to Publications and Blank Forms) via email to usarmy.pentagon.hqda-dcs-g-6.mbx.publications-management@army.mil.

Distribution. This pamphlet is available in electronic media only and is intended for the Regular Army, the Army National Guard/Army National Guard of the United States, and the U.S. Army Reserve.

The procedures in this chapter establish the requirement to sanitize all media prior to disposal, release out of organizational control, or release for reuse in accordance with Department of Defense Manual (DODMDODMDepartment of the Defense Manual) 5200.01 Vol. 1 – 4 using tech-niques and procedures in accordance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800 – 88 (the full citation for this publication is in appendix A of this DA PamDA PamDepartment of the Army Pamphlets. When media is sanitized, all portions of the media containing DOD information must be completely sanitized. Partial wiping or clearing of media does not meet Army or DOD security standards. Responsible personnel, to include commanders, directors, and information system security managers (ISSM) will ensure the appropriate actions are executed when disposing of IT equipment and electronic storage media containing any DOD information. This responsibility includes making sure that contracts address the requirements and guidance outlined in this DA PamDA PamDepartment of the Army Pamphlets by working with procurement contracting officers to ensure that sanitization is addressed properly in all contracts involving the use of electronic media. This responsibility also includes compliance with the Army Regulation (AR) 25 – 400 – 2, and environmental laws and regulations pertaining to the disposal and handling of hazardous IT waste.

As noted above, degaussing and physical destruction are often the most economical means of ensuring Army data is not remnant on media before disposing of it or before it leaves DOD control. The procedures in this chapter meet the require-ments identified in NIST SP 800 – 53, version 4, for control DM – 2.

Proper certification of sanitization and/or destruction is required for all Army storage media. Failure to control and properly account for media has resulted in issues that introduced unnecessary risk to Army operations in the past. Therefore, the procedures in this section are mandatory. The implementation of procedures in this chapter meet the requirements of NIST SP 800 – 53 controls, MA – 2(d), and MP – 6(1).