What is a DoD Wipe?
First, note that this paper relates only to the wiping (that is, overwriting[1]) of magnetic hard
disk drives; other media, such as memory or solid-state devices are not
considered here.
To answer this question properly, one also needs to ask, "When?"
and "Under whose authority?" The reference to when
is necessary, since overwriting methods have changed in later editions
of DoD (Department of Defense) documents. Next, we note the DoD has
always stated the exact methods used to sanitize a hard disk must be
based upon the sensitivity of the information and be proscribed by the government
agency overseeing control of that information. Therefore, it is incorrect
to use the term "DoD wipe" (as if some single all encompassing
standard existed) without citing at least one specific dated reference.
What about the DoD 5220.22-M Wipe?
But doesn't DoD 5220.22-M specify a wipe standard? First, we must point
out that DoD 5220.22-M (the "M" stands for "manual") is
a wide ranging document covering all aspects of the security of classified
information when it must be transferred to or from (including networks), or
stored outside a government facility, or handled by anyone not directly employed
by the US government. Technically, DoD 5220.22-M, which is also known
as the National Industrial Security Program (NISP) Operating Manual
or NISPOM, was never intended to provide any specific overwriting procedures;
it has always referred to the Defense Security Service's Clearing and Sanitization
Matrix (DSS C&SM)[1] in such cases, which
does contain specific methods for the declassification of various media. The
1995 and 1997 editions of NISPOM included a copy of the DSS C&SM table
between sections 8-306(i.) and 8-400, but this is not always true (e.g., the
most recent edition of NISPOM does not do so). And as of the June 28, 2007
edition of the DSS C&SM, overwriting is no longer acceptable for the sanitization
of magnetic media; only degaussing or physical destruction.[2] However, that same
document also contains a note concerning "practical sanitization decisions"
for "cost effective security management" (i.e., most organizations
need not follow the DoD's policy of destroying hard disks).
Clearing and sanitization of media in section 8.301 (see below) without any
examples of how to carry out those guidelines.
In general, the reasons for the present confusion over what constitutes a
DoD wipe, including , appear to be twofold: .
While researching this material, we came across an old paper from the National
Computer Security Center at the Federation of American Scientists (FAS) archive
of the "NSA Rainbow Series and Related Documents" which mentions
an overwrite process in A Guide to Understanding Data Remanence in Automated
Information Systems.[3] Similar language
is also found in the ODAA Process Guide's Appendix O[4], in the section Overwriting;
though it presently "refers to sanitization procedures not associated
with fixed/rigid media to render such media unclassified." In part, it
states: "the contractor must develop an alternative procedure, such as
a three-time overwrite, for the media. The passes that are
developed must be a character, its complement, and then a third pass with
random characters."[5] But even here the
guide now adds, "This process will only be utilized as a clearing action
and the media must be safeguarded at the TOP SECRET level. When the media
is no longer needed, it must be destroyed."
An Important Clue?
When reading about Symantec Corporation's GDisk (which may be included
with present-day Symantec Ghost products), we discovered this utility has
a switch called "/dod"
which performs a hard disk wiping action as described in their document,
GDisk Disk Wipe Specifications.[6]
While reading this document, you can see its author(s) present the contents
of the Clearing and Sanitization Matrix table found in the January
1995 edition of NISPOM (where it was inserted between sections
"8-306. Maintenance" and "8-400. Networks" of that edition;
note that contrary to some popular comments on the web, it had nothing
to do with section 8-306 having been merely placed there out of convenience
for page layout) as pertaining only to magnetic disks; there are many
other media present in the original table. They very clearly show that apart
from degaussing, the action for clearing a disk is stated in note
"c: Overwrite all addressable locations with a single character,"
and the sanitization of a disk can be carried out using either note
"d: Overwrite all addressable locations with a character, its
complement, then a random character and verify [Note: This method is
not approved for sanitizing media that contains top secret information.]"
or note "m: Destroy (disintegrate, incinerate, pulverize, shred,
or melt)." Yet on page 3, after appearing to indicate that GDisk follows
the DSS Matrix note d. (it states, "GDisk performs a sanitize operation,
as defined by action d, when performing a disk wipe operation with the /dod
command modifier."), this document then makes a fantastic leap
into the next phrase which says, "The
following cycle occurs six times:" Where in any of the
DoD or DSS literature did that come from!? And if you took that phrase
logically, after examining the next four points in the document, you'd have
to conclude that the GDisk utility performs a ridiculous number of wipe
passes! (Six times the four items would equal twenty-four;
6 x 4 = 24, for 24 passes.) The items in the list are:
- All addressable locations are overwritten with 0x35.
- All addressable locations are overwritten with 0xCA.
- All addressable locations are overwritten with a pseudo-random character.
- All addressable locations are verified in hardware using the Verify Sectors
command to the disk.
Note that last item. It's a verification that carrying out the first three
items does indeed end up writing a "pseudo-random character" everywhere
on the disk. If we suppose that the first three items must be done six times,
then perhaps you might want to verify that each cycle was performing correctly.
But our reading of the original DSS document says that only three passes followed
by a verification are necessary! We are going to examine this utility in detail
and report back here as to the exact nature of its actions for a /dod wipe,
so keep asking us for it if you don't see this soon.
With GDisk's very odd six cycle interpretation of the DSS's straightforward
description of three overwrite passes plus a verification pass, is it any
wonder that other companies decided to come up with their own interpretations
of what a "DoD Wipe" consists of? The most prevalent actions we've
seen in a cursory survey of wiping software and hardware available on the
Net often describes a DoD wipe' as three cycles of alternating patterns of
0x00 and 0xFF, followed by an 0xF6 byte pattern for a total of seven passes.
But, as the DSS and other security organizations have pointed out, they rarely
include a verification pass!
CAN YOU ANSWER THE QUESTION? Where did the 7-pass overwrite
come from?
NISP Operating Manual (the real DoD 5220.22-M
Specifications)
The NISPOM[7] establishes the standard
procedures and requirements for all government contractors, with regards to
classified information. As of July, 2008, the current NISPOM is still dated
28 Feb 2006. Although the following list does contain all of its chapter headings,
only some chapter sections have been selected to show in detail those subsection
paragraphs (either in full or as bolded titles) that could possibly
contain any information related to the wiping of a hard disk. In particular,
note Section 8-301 (page 8-3-1):
- Chapter 1 - General Provisions and Requirements
- Chapter 2 - Security Clearances
- Section 1 - Facility Clearances
- Section 2 - Personnel Security Clearances
- Section 3 - Foreign Ownership, Control, or Influence (FOCI)
- Chapter 3 - Security Training and Briefings
- Chapter 4 - Classification and Marking
- Chapter 5 - Safeguarding Classified Information
- Section 1. General Safeguarding Requirements
- Section 2. Control and Accountability
- Section 3. Storage and Storage Equipment
- Section 4. Transmission
- Section 5. Disclosure
- Section 6. Reproduction
- Section 7. Disposition and Retention
- 5-700. General
- 5-701. Retention of Classified Material
- 5-702. Termination of Security Agreement
- 5-703. Disposition of Classified Material Not Received Under a
Specific Contract
- 5-704. Destruction
- 5-705. Methods of Destruction
- 5-706. Witness to Destruction
- 5-707. Destruction Records
- 5-708. Classified Waste
- Section 8. Construction Requirements
- Section 9. Intrusion Detection Systems
- Chapter 6 - Visits and Meetings
- Chapter 7 - Subcontracting
- Chapter 8 - Information System Security
- Section 1. Responsibilities and Duties
- Section 2. Certification and Accreditation
- Section 3. Common Requirements
- 8-300. Introduction
- 8-301. Clearing and Sanitization Instructions on
clearing, sanitization and release of IS media shall be
issued by the accrediting CSA.
[Editor's note: CSA is the "Cognizant Security
Agency (CSA). Agencies of the Executive Branch that have been authorized
by reference (a) to establish an industrial security program to
safeguard classified information under the jurisdiction of those
agencies when disclosed or released to U.S. Industry. These agencies
are: The Department of Defense, DOE, CIA, and NRC." (NISPOM,
February 28, 2006 Edition, Appendix C, Definitions, Page C-2.)].
a. Clearing. Clearing is the process
of
eradicating the data on media before reusing the
media in an environment that provides an acceptable
level of protection for the data that was on the media
before clearing. All internal memory, buffer, or other
reusable memory shall be cleared to effectively deny
access to previously stored information.
b. Sanitization. Sanitization
is the process of
removing the data from media before reusing the
media in an environment that does not provide an
acceptable level of protection for the data that was in
the media before sanitizing. IS resources shall be
sanitized before they are released from classified
information controls or released for use at a lower
classification level.
[ Editor's Note: The words Sanitization and sanitize
as used by the DSS and other government agencies have effectively
become synonyms for "destruction" and "destroy"
since the DSS no longer approves any overwriting procedures for
the downgrading of classified material.]
- 8-302. Examination of Hardware and Software
- 8-303. Identification and Authentication Management
- 8-304. Maintenance
- 8-305. Malicious Code
- 8-306. Marking Hardware, Output, and Media
- 8-307. Personnel Security
- 8-308. Physical Security
- 8-309. Protection of Media
- 8-310. Review of Output and Media
- 8-311. Configuration Management
- Section 4 - Protection Measures
- Section 5 - Special Categories
- Section 6 - Protection Requirements
- Section 7 - Interconnected Systems
- Chapter 9 - Special Requirements
- Section 1 - RD and FRD
- Section 2 - DoD Critical Nuclear Weapon Design Information (CNWDI)
- Section 3 - Intelligence Information
- Section 4 - Communication Security (COMSEC)
- Chapter 10 - International Security Requirements
- Chapter 11 - Miscellaneous Information
- Section 1 - TEMPEST
- Section 2 - Defense Technical Information Center (DTIC)
- Section 3 - Independent Research and Development (IR&D) Efforts
- Appendices
Further Reading and References
Department of Defense
Footnotes
- ^ DSS Clearing & Sanitization Matrix
June 28, 2007 edition (retrieved on 2008-06-14;
size: 90,386 bytes).
- ^ The DSS
Clearing and Sanitization Matrix (Updated June 28, 2007), end of second
paragraph, states:
"Effective immediately, DSS will no longer approve
overwriting procedures for the sanitization or downgrading (e.g. release
to lower level classified information controls) of IS
storage devices (e.g., hard drives) used for classified processing."
- ^ A
Guide to Understanding Data Remanence in Automated Information Systems,
Reveision 2, September 1991 . National Computer
Security Center. (retrieved from the Federation of American Scientists (FAS)
web site on 2008-06-15). We quote the relevant section in full:
"5.1.1 OVERWRITING
Overwriting is a process whereby unclassified data are written to storage
locations that previously held sensitive data. To satisfy the DoD clearing
requirement, it is sufficient to write any character to all data locations
in question. To purge the AIS storage media, the DoD requires
overwriting with a pattern, then its complement, and finally with
another pattern; e.g., overwrite first with 0011 0101 [35h],
followed by 1100 1010 [CBh], then 1001 0111 [97h]. The number of times an
overwrite must be accomplished depends on the storage media, sometimes on
its sensitivity, and sometimes on differing DoD component requirements.
In any case, a purge is not complete until a final overwrite is made using
unclassified data."
Note that the hexadecimal byte patterns in the quote above were merely given
as an example by the NCSC; yet these same exact bit patterns were used by
Symantec for their GDisk utility (see text in body of article).
"In addition, NIST Special Publication 800-88, Guidelines for Media
Sanitization, dated Sep 2006, can assist organizations and system owners
in making practical sanitization decisions based on the level of confidentiality
of their information, ensuring cost effective security management of their
IT resources, and mitigate the risk of unauthorized disclosure of information."
- ^ Quote from:
Office of the Designated Approving Authority (ODAA) Process Guide For Certification
and Accreditation Of Classified Systems under the National Industrial Security
Program Operating Manual (NISPOM)
Revised May, 2008; Revision 2008.1 Appendix O, page
O-5, first paragraph. DSS. May, 2008
(retrieved on 2008-06-14; size: 2,021,899 bytes).
- ^ Quote from:
Office of the Designated Approving Authority (ODAA) Process Guide For
Certification and Accreditation Of Classified Systems under the National
Industrial Security Program Operating Manual (NISPOM), Appendix O, page
O-5, last sentence.
[ Note: For the NSA, this has always been the case. Even the National
Computer Security Center's almost 20-year-old paper cited as 3. above,
A Guide to Understanding Data Remanence in Automated
Information Systems, Revision 2 (1991) already stated in section
4.6 (OVERWRITE SOFTWARE AND PURGING): "If any errors occur while overwriting
or if any unusable sector could not be overwritten, then degaussing is required."
The reasoning is that no matter how slight the chance may be, if that data
cannot be verifiably overwritten, then it could still possibly be read by
unauthorized parties. Section 4.4 (STORAGE DEVICE SEGMENTS NOT RECEPTIVE
TO OVERWRITE) of the same paper elaborates on this: "A compromise of
sensitive data may occur if media is released when an addressable segment
of a storage device (such as unusable or 'bad' tracks in a disk drive or
inter-record gaps in tapes) is not receptive to an overwrite. As an example,
a disk platter may develop unusable tracks or sectors; however, sensitive
data may have been previously recorded in these areas. It may be difficult
to overwrite these unusable tracks. Before sensitive information is written
to a disk, all unusable tracks, sectors, or blocks should be identified
(mapped). During the life cycle of a disk, additional unusable areas may
be identified. If this occurs and these tracks cannot be overwritten, then
sensitive information may remain on these tracks. In this case, overwriting
is not an acceptable purging method and the media should be degaussed or
destroyed." ]
- ^ GDisk
disk wipe specifications
Symantec Corporation (retrieved on 2008-07-13; size: 101,827 bytes).
- ^ NISPOM . Current
28 Feb 2006 edition. (retrieved as a PDF document
on 2008-06-14; size: 2,014,780 bytes, from the DSS).