Media Destruction Guidance

 
 

NSA's Center for Storage Device Sanitization Research (CSDSR) guides the sanitization of information system (IS) storage devices. Resources for a vendor of storage device sanitization, the NSA Evaluated Products Lists (EPLs), a search function for the EPL, and contact information for the Center for Storage Device Sanitization Research are provided on this page.  

Evaluated Products Lists

The NSA Evaluated Products Lists equipment that meets NSA specifications. These lists apply to all NSA elements and pertain to all IS storage devices utilized by NSA elements, contractors, and personnel. Policy: For disposal or recycling per NSA/CSS Policy Statement 9-12, "NSA/CSS Storage Device Sanitization" (Reference 1), Information stored on these devices may range from UNCLASSIFIED to TOP SECRET and may include compartmented, sensitive, or limited-distribution material.

The CSDSR updates the EPL quarterly.

Vendor Information

Vendors should follow this NSA evaluation process guidance for Information Storage (IS) sanitization systems. These devices must undergo an evaluation performed by the NSA and satisfy the requirements mandated for the type of storage devices being destroyed. Once the assessment is successful, the device will be included in the next update of the EPL. The EPL is meant to serve as guidance; inclusion in this document is not an endorsement by the NSA or the U.S. Government. All listed products are approved for the destruction of TS/SCI and below.


Vendor Requirements

 

Vendor Process


Collapse All Expand All

Step 1: Pre-Evaluation
                A. Begin by getting the appropriate requirements
B. Check for compliance
C. Does it support requirements?
1. If yes, continue to Step 2: Submittal
                2. If no, Stop
Step 2: Submittal
                A. Develop submittal documents
                B. Submit to NSA/CSS
                C. MOA/Appendix A process
                                1. If accepted, proceed to item D in this submittal process.
                                2. If no, update submittal and re-start item C in the submittal process.
                D. Vendor send equipment
                                1. If received equipment, proceed to Step 3: Evaluation Pending.
                                2. If did not receive equipment, return to item D in the submittal process.
Step 3: Evaluation Pending
                A. If equipment was received and is ready for testing by NSA/CSS, proceed to Step 4: Testing.
                B. If equipment was not ready for NSA/CSS testing, wait until equipment is ready for testing.
Step 4: Testing
                A. Evaluation Testing
                B. If testing completed, proceed to Step 5: Analysis.
                C. If testing incomplete, begin item A again in the testing process.
Step 5: Analysis
                A. Review test results
                B. If test passed, proceed to Step 6: Finalization.
                C. If test failed, proceed to Step 6: Finalization.
Step 6: Finalization
                A. Ship equipment to the vendor
                B. End process.

Vendor FAQ

Collapse All Expand All

Submit/email product evaluation request to NSA CSDSR with product documentation. If NSA determines that an evaluation is worthwhile/warranted, CSDSR will submit for an MOA to be created for the vendor and the process will be started to have the equipment shipped to CSDSR. Once the equipment is received CSDSR strives to have an 18-week turnaround time. 

Yes, but CSDSR must test your device against the requirements set for all types of media your device "destroys". If a product is tested for multiple devices and fails some of those devices, the device will not be approved or listed for those devices. The product will be approved for only the devices it sanitized to NSA specifications. 

Yes, due to advances in hard disk drive technology NSA will no longer accept degaussers for evaluation with magnetic fields less than 30000 Gauss.  

 

Customer FAQ

Collapse All Expand All

Unfortunately, you do have to destroy your drives. CSDSR has not approved any software erasure methods. Physical destruction is the only secure way to ensure your data is gone. For devices such as routers, switches, etc., contact your local security office. 

We recommend you recycle, but you are free to dispose of your non-classified debris in any manner. 

Thoroughly inspect the machine for storage device particulate that may not have been disposed of. Ensure that you perform a thorough search, Once complete, you may dispose of in any manner you like. We recommend you recycle.   

Yes, physically destroying a hard drive is an additional level of security and helps ensure that this drive is not accidentally mistaken for a working drive. Note: Destruction does not replace degassing. You MUST degauss your hard drive.  

These drives are still in development and aren't publicly available.  If you do have a HAMR drive or MAMR drive, you'll need to incinerate the drive to ash. No other method currently exists capable of securely sanitizing this data. 

Yes! If you're an eligible entity, the NSA Classified Material Conversion (CMC) office may be able to help you. Please contact them at (301) 688-6672 or visit their website for more information. If you are not eligible for their assistance, we recommend you purchase a unit on our EPL or find a service in your area to destroy your information for you; verify that any service you utilize complies with our EPL. 

Potentially, but not instantly. The vendor of the device must initiate a request to have their device evaluated and CSDSR would need to perform a full examination of the device before we could make a determination. 

Please contact the manufacturer and request a "statement of volatility." Follow the instructions contained within and remove all non-volatile storage and disintegrate. If you cannot remove nonvolatile memory, then you must disintegrate the board.  Ensure volatile memory is sanitized by disconnecting the power for at least 24 hours. Contact your local security office for guidance and procedures.  

Typically no, but you can contact your local security office for specific guidance.  

Batteries need to be removed. Batteries can explode if shredded. If possible, LCD screens should also be removed.  Disintegrate these devices utilizing a product on our SSD Disintegrator EPL. 

Report the spill to your local security office and follow your organization's protocol. CSDSR requires the hardware to be destroyed in accordance with our EPLs. 

Please contact the manufacturer/vendor and ensure that the repair brings the device back to an "as stock" configuration.  Any alterations may invalidate the machine's approval. DoD 5200.01 V3 provides a little more information about this. 

EPLS are expected to be published every quarter but may be subjected to delays. 

DoD 5200.01 V3 allows for a six-year window for you to use this product until you replace it. The expiration for this six-year period will be listed in the EPL.  CSDSR does recommend you replace your device as soon as you can. 

All approved products on the EPL are capable of sanitizing TS/SCI material and below.  Any device not listed within the EPLs is not approved for DoD usage for material at any classified level.  

 

For further technical information contact the Center for Storage Device Sanitization Research submit a web form request.