Classification Breakdown: Match Your Data to Its Destruction Method

December 11, 2020 at 8:15 am by Amanda Canale

In the age of social media, it’s quite normal for many people to put their entire lives online. Whether it’s someone spilling all of their secrets in forms of podcasts, vlogs, and blogs or sharing too much about their assets and wealth in an Instagram post, it doesn’t seem like there is much that isn’t shared with the world wide web.

However, there are many types of information that not only just shouldn’t be shared but cannot be shared, especially when it pertains to our National Security. Let’s break down all of the different levels of information out there and the varying security classifications applied in order to properly identify and safeguard this information.

Top Secret information (TS)

Top Secret (TS) information is also known as classified information. Access to this level of information is highly restricted and is upheld by law or regulations to particular groups of people. It is sensitive enough to matters of national security that it must be protected at all times. Information of this nature can range from nuclear weapon launch codes to government secrets.

When it comes to the destruction of these types of information, best practices can vary. The question you should always ask yourself is as follows: is my end-of-life data destruction equipment designed to securely destroy this information? To ensure the highest security data destruction, the federal government requires that classified data only be destroyed with devices listed on the NSA Evaluated Products List (EPL). This equipment is suitable for TS information and utilizes stringent destruction criteria determined by the NSA. You can find more information about NSA-mandated destruction of storage devices here.

Regardless of the classification level and type of data you are looking to destroy, any one of SEM’s NSA listed paper shredders, disintegrators, degaussers, and IT crushers are fully equipped to securely destroy all of your end-of-life data.

Sensitive Compartmented Information (SCI) and Special Access Program (SAP)

Sensitive Compartmented Information (SCI) and Special Access Program (SAP) are considered highly classified information that is controlled and designated by the National Intelligence Agencies and shared within certain Department of Defense branches. SCI and SAP access levels are only granted to those who already hold a Top Secret (TS) clearance.  This information ranges from intelligence sources and methods to analytical processing and targeting, as well as information unique to a specialized program or project. This information is only accessible by those granted “a need-to-know basis” and thus safeguarded at the highest levels due to the nature of the classified information. Therefore, this information should only be destroyed with NSA EPL listed devices.

nsa-listed-paper-shredder

Communication Security (COMSEC)

Communication Security (COMSEC) is used to deny unauthorized persons access to information obtained from telecommunications of the U.S. Government concerning issues such as national security. This information is handled and protected by the U.S. Department of Labor (DOL). Since COMSEC material is considered sensitive, it should be destroyed to the same standard as classified information, meaning using NSA EPL listed equipment. COMSEC typically includes cryptographic security, emissions security, transmission security, and the physical security of COMSEC material.

information-destruction

Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is all of the different kinds of unclassified information throughout the Executive Branch of the United States government that requires safeguarding or circulation control that is consistent with applicable laws, government policies, and regulations.

On November 4, 2010, the Executive Order 13556 “Controlled Unclassified Information” was established to create transparency throughout the federal government and non-government stakeholders as previous characterizations of sensitive but unclassified information (SBU) was not always consistent. This classification process standardizes these practices across over 100 different government departments and agencies, ranging from state and local, to tribal and private sectors. The Order also mandated that end-of-life media must be destroyed to NIST 800-88 specifications. For paper, this specification is a 1mm x 5mm particle size, which is the same as for classified information.

Typically, CUI information can consist of technical information with a military or space focus, legal material and law enforcement, federal healthcare, technical drawings and blueprints, immigration, and more. All of SEM’s IT destruction devices are NIST 800-88 and therefore CUI compliant. In addition, all paper shredders listed on the NSA EPL are also CUI compliant.

Personally Identifiable Information (PII)

Personally Identifiable information (PII) is any kind of information that can identify a specific individual. PII can be tricky as it is not anchored to any one category of technology or information.

SOX Act

The range of what kind of information qualifies as PII is quite vast: social security numbers, IP addresses, passport and license numbers, mailing and email addresses, login IDs, and other specific information are all personally identifiable.

While data breaches should always be taken seriously, a breach of this kind of information can put the exposed people at an extremely high risk of identity theft and fraud. Take for example, the recent security breach at financial institution, Morgan Stanley. The incidents, which have occurred over a span of four years, were caused by an ITAD (IT asset disposition) vendor misplacing a number of various computer equipment that were being used to store customers’ PII. You can read more about our thoughts on this breach here.

Personal Health Information (PHI)

Personal Health Information (PHI) is similar to PII in that it is identifiable information that can be linked to a specific individual.

PHI is an umbrella term given to any kind of health information that is dated, received, transmitted, or stored by the Health Insurance Portability and Accountability Act (HIPAA) and their entities and business associates in relation to healthcare operations and payment. This information ranges from Social Security numbers and medical record numbers to test results and insurance information. Both PII and PHI are sensitive information, so should be destroyed to completely prevent reconstruction or recovery using the same standards that apply to CUI.

Whether you’re looking to destroy personally identifiable, controlled unclassified, or top secret information, it is always best practice to follow data sanitization mandates. At SEM, we have wide array of high-quality end-of-life data destruction devices that not only meet NSA/CSS specifications, but are on the NSA/CSS Evaluated Products List, and follow the Controlled Unclassified Information (CUI) Executive Order.

Any one of our exceptional sales team members are more than happy to help answer any questions you may have about your data classification and help determine which machine will best meet your company and federally regulated destruction needs.

Effects of the Recent NSA EPL Changes

October 17, 2019 at 8:00 am by Paul Falcone

Effects of the Recent NSA EPL Changes

Every so often, federal agencies are given new data destruction standards delivered by a mandate from the NSA’s Evaluated Product Lists (EPLs). NSA EPLs dictate how end-of-life data must be destroyed at a top secret and classified level — from paper to hard drives to key tape and more. The industry at large continues to work towards (and past) these most secure end-of-life mandates because they are updated as criminals find ways to extract data off smaller and smaller fragments of media previously thought to be impossible to reconstruct. For example, prior to November of 2018, DVDs were once considered thoroughly destroyed at a 5mm final particle size — but no longer. In fact, the new maximum final particle size for classified DVDs is 2mm, which is over 50% smaller than the previous acceptable final particle size. So as we near the end of 2019, what are the latest changes to the list and how do they affect the destruction of top secret and classified data?

nsa-blu-ray-requirement

Blu-ray and DVD Particle Size Changes

The biggest change on the most recent overhaul of the NSA EPLs in November 2018 was the announcement that the particle size for shredding DVDs would be changing from a 5mm particle size to a 2mm particle size. This mandate also stated that classified Blu-ray Discs (BDs) would for the first time be destroyed through shredding, whereas previously they could only be destroyed through incineration. The particle size requirement for BDs is the same as for DVDs – 2mm. The final particle size requirement for CDs remains at 5mm.

This change comes with a grace period, as the new mandate took agencies by surprise, with very few compliant machines currently available on the market. For the intelligence community, there is a three-year grace period. All other federal agencies will have six years to comply. This change also means there are no longer any NSA listed machines on the market that are able to destroy all classified optical and paper in one shredding chamber.

Changes to Throughput and Durability Tests

The NSA has also made a change in how they present information about both the throughput level of a machine and its one-hour durability test. The throughput level is no longer a specific number, but instead consists of a label of low, medium, or high volume. The one-hour durability test has been removed completely.

This change, however, comes with a caveat. The buyer should be aware that some less-than-scrupulous companies may take advantage of these more vague labels by advertising their machines with inflated throughputs. Therefore, when doing research on a data destroyer, it is imperative to look for companies with impeccable reputations and a history of honesty, as their integrity will be what ultimately dictates how they label the throughput of their machines.

Spreading the Word and Managing Budget

The difficulty with these changes is that while they ultimately keep data, and as a whole the citizens of this country, safe, it has been difficult to spread the word to every single organization that the NSA EPL ultimately affects. With top secret and classified data found in every federal agency and in a multitude of geographic locations globally, getting the news into the ears of every influencer and decision maker who handles security has proven challenging. For this reason, it is critical that commercial organizations involved in federal information security assist the government in spreading the word through their own channels such as email, blogs (like this one), trade shows, and seminars. In addition, federal employees involved with data security may find it a best practice to check the NSA’s website for EPL updates on a regularly scheduled basis.

The other challenge, shared by nearly every industry and individual in existence, is funding. As new mandates are pushed out by the NSA, agencies are often required to purchase new equipment to meet those mandates. A facility that may have had a combo shredder to destroy all of their classified paper, CDs, and DVDs would now need an entirely separate machine to securely shred their DVDs (and now Blu-ray Discs). And, at anytime in the future, that mandate could change again. It can sometimes end up feeling like a gamble, but when it comes to protecting the data and information found at the top secret level, it is imperative that federal organizations involved with secure data destruction budget for anticipated changes. These are far from the last mandates that will be released. As criminals continue to find increasingly sophisticated methodologies for extracting data, it is critical that the NSA stay one step ahead.

Staying Up to Date

Regulations will change, and then they will change again. When it comes to sensitive information and the NSA EPLs, the one constant is the criticality of protecting data when it reaches end-of-life so that America’s top secret and classified information does not fall into the wrong hands. Thanks to the NSA’s testing and EPL listings, the intelligence community and federal organizations at large can feel confident that their end-of-life information will remain confidential, providing peace of mind to our country’s agencies and citizens.