This new ISOO directive will redefine what it means to keep CUI data, and ultimately the American people, safe. While executive branches and agencies continue to move towards federally mandated and private sustainability goals, as well as update existing equipment to meet the new CUI standards, it is important to know that systems exist that can assist in meeting both targets in a cost-effective manner with the same end-of-life system.
Click the button below for an instant download.
In the age of social media, it’s quite normal for many people to put their entire lives online. Whether it’s someone spilling all of their secrets in forms of podcasts, vlogs, and blogs or sharing too much about their assets and wealth in an Instagram post, it doesn’t seem like there is much that isn’t shared with the world wide web.
However, there are many types of information that not only just shouldn’t be shared but cannot be shared, especially when it pertains to our National Security. Let’s break down all of the different levels of information out there and the varying security classifications applied in order to properly identify and safeguard this information.
Top Secret (TS) information is also known as classified information. Access to this level of information is highly restricted and is upheld by law or regulations to particular groups of people. It is sensitive enough to matters of national security that it must be protected at all times. Information of this nature can range from nuclear weapon launch codes to government secrets.
When it comes to the destruction of these types of information, best practices can vary. The question you should always ask yourself is as follows: is my end-of-life data destruction equipment designed to securely destroy this information? To ensure the highest security data destruction, the federal government requires that classified data only be destroyed with devices listed on the NSA Evaluated Products List (EPL). This equipment is suitable for TS information and utilizes stringent destruction criteria determined by the NSA. You can find more information about NSA-mandated destruction of storage devices here.
Regardless of the classification level and type of data you are looking to destroy, any one of SEM’s NSA listed paper shredders, disintegrators, degaussers, and IT crushers are fully equipped to securely destroy all of your end-of-life data.
Sensitive Compartmented Information (SCI) and Special Access Program (SAP) are considered highly classified information that is controlled and designated by the National Intelligence Agencies and shared within certain Department of Defense branches. SCI and SAP access levels are only granted to those who already hold a Top Secret (TS) clearance. This information ranges from intelligence sources and methods to analytical processing and targeting, as well as information unique to a specialized program or project. This information is only accessible by those granted “a need-to-know basis” and thus safeguarded at the highest levels due to the nature of the classified information. Therefore, this information should only be destroyed with NSA EPL listed devices.
Communication Security (COMSEC) is used to deny unauthorized persons access to information obtained from telecommunications of the U.S. Government concerning issues such as national security. This information is handled and protected by the U.S. Department of Labor (DOL). Since COMSEC material is considered sensitive, it should be destroyed to the same standard as classified information, meaning using NSA EPL listed equipment. COMSEC typically includes cryptographic security, emissions security, transmission security, and the physical security of COMSEC material.
Controlled Unclassified Information (CUI) is all of the different kinds of unclassified information throughout the Executive Branch of the United States government that requires safeguarding or circulation control that is consistent with applicable laws, government policies, and regulations.
On November 4, 2010, the Executive Order 13556 “Controlled Unclassified Information” was established to create transparency throughout the federal government and non-government stakeholders as previous characterizations of sensitive but unclassified information (SBU) was not always consistent. This classification process standardizes these practices across over 100 different government departments and agencies, ranging from state and local, to tribal and private sectors. The Order also mandated that end-of-life media must be destroyed to NIST 800-88 specifications. For paper, this specification is a 1mm x 5mm particle size, which is the same as for classified information.
Typically, CUI information can consist of technical information with a military or space focus, legal material and law enforcement, federal healthcare, technical drawings and blueprints, immigration, and more. All of SEM’s IT destruction devices are NIST 800-88 and therefore CUI compliant. In addition, all paper shredders listed on the NSA EPL are also CUI compliant.
Personally Identifiable information (PII) is any kind of information that can identify a specific individual. PII can be tricky as it is not anchored to any one category of technology or information.
The range of what kind of information qualifies as PII is quite vast: social security numbers, IP addresses, passport and license numbers, mailing and email addresses, login IDs, and other specific information are all personally identifiable.
While data breaches should always be taken seriously, a breach of this kind of information can put the exposed people at an extremely high risk of identity theft and fraud. Take for example, the recent security breach at financial institution, Morgan Stanley. The incidents, which have occurred over a span of four years, were caused by an ITAD (IT asset disposition) vendor misplacing a number of various computer equipment that were being used to store customers’ PII. You can read more about our thoughts on this breach here.
Personal Health Information (PHI) is similar to PII in that it is identifiable information that can be linked to a specific individual.
PHI is an umbrella term given to any kind of health information that is dated, received, transmitted, or stored by the Health Insurance Portability and Accountability Act (HIPAA) and their entities and business associates in relation to healthcare operations and payment. This information ranges from Social Security numbers and medical record numbers to test results and insurance information. Both PII and PHI are sensitive information, so should be destroyed to completely prevent reconstruction or recovery using the same standards that apply to CUI.
Whether you’re looking to destroy personally identifiable, controlled unclassified, or top secret information, it is always best practice to follow data sanitization mandates. At SEM, we have wide array of high-quality end-of-life data destruction devices that not only meet NSA/CSS specifications, but are on the NSA/CSS Evaluated Products List, and follow the Controlled Unclassified Information (CUI) Executive Order.
Any one of our exceptional sales team members are more than happy to help answer any questions you may have about your data classification and help determine which machine will best meet your company and federally regulated destruction needs.
The Latest ISOO announcement details new target dates for policy, training, and implementation.
WESTBOROUGH, MA, May 26, 2020 —On 14 May 2020, the Information Security Oversight Office (ISOO) released CUI Notice 2020-01: CUI Program Implementation Deadlines (the “Notice”), which includes specific dates of implementation and deadlines for affected government agencies that handle or store Controlled Unclassified Information (CUI). The Notice applies to all Executive Branch agencies.
The Notice references 30 June 2020 as the deadline for the initialization of an awareness campaign for workforces within agencies that have access to CUI. By this date it is expected that relevant agencies will be able to define and identify potential CUI within an office as well as summarize the actionable plan the office will follow to properly store, dispose, and in the case of legacy material, re-mark and reuse said CUI information.
The deadline for agencies to draft their policies detailing CUI guidelines moving forward is 31 December 2020. By this date, now current policies must be rescinded or modified with a policy that satisfies the new mandates set by ISOO for individual agencies to follow, and these policies will be implemented over the course of the following calendar year. The use of any Classification Marking Tools (CMTs) in the labeling and marking of CUI materials must also be updated by the 31 December 2020 date.
“The CUI implementation timeline is a critical step towards data security in the U.S.,” said Andrew Kelleher, President and CEO of Security Engineered Machinery (SEM). “We applaud ISOO for their tireless efforts in safeguarding CUI. By ensuring all agencies are storing, labeling, and destroying CUI data appropriately, we can help protect government agencies and the citizens of our country as a whole.”
All physical safeguards must be in place by 31 December 2021, including how an agency ensures CUI is kept out of sight and out of reach from those who do not have access. All agencies that store CUI information in Federal Information Systems must additionally have those systems updated and configured to no lower than Moderate Confidentiality impact value, as outlined in 32 CFR 2002.14.
In addition, training on the policy for an agency’s workforce including sub-agencies must be implemented and completed by 31 December 2021. This includes detailing CUI’s purpose, individual responsibility, and destruction requirements. Destruction requirements for end-of-life CUI should be as detailed as possible and, at a minimum, follow specifications outlined by the National Institute of Standards and Technology (NIST) Special Publication 800-88, Guidelines for Media Sanitization. It should be noted that NIST 800-88 specifically states that paper containing sensitive information such as CUI must be destroyed to a 1mmx5mm final particle size at end-of-life, which is the same final particle specification as classified information destruction.
“Technology advancements have made it easier for criminals to reconstruct data, whether on digital or traditional media,” added Heidi White, SEM’s Director of Marketing. “Ensuring that end-of-life media is destroyed to the appropriate specifications, which for CUI is NIST 800-88 standards, cannot be overstated.”
The Notice can be read in its entirety here.
