Library No. 5-236,082
Version-2
A Guide to Understanding Data Remanence in Automated Information Systems is intended for use by personnel responsible for the secure handling of sensitive or classified automated information system memory and secondary storage media. It is important that they be aware of the retentive properties of such media, the known risks in attempting to erase and release it, and the approved security procedures that will help prevent disclosure of sensitive or classified information. This version supersedes CSC-STD-005-85, Department of Defense Magnetic Remanence Security Guideline, dated 15 November 1985.
As the Director, National Computer Security Center, I invite your suggestions for revising this document. We plan to review this document as the need arises.
Patrick R. Gallagher, JR September 1991
Director
National Computer Security Center
Various documents have been published that detail procedures for clearing, purging, declassifying, or destroying automated information system (AIS) storage media. [1,2,4, 5, 6, 8,9,13 and 16] The Department of Defense (DoD) published DoD Directive 5200.28, Security Requirements for Automated Information Systems, [17] and its corresponding security manual DoD 5200.28-M, Automated Data Processing Security Manual, [1] in 1972 and 1973, respectively. These two documents were amended in 1979, in response to the Defense Science Board Task Force recommendation to establish uniform DoD policy for computer security requirements, controls, and measures. The directive was again revised in March 1988, and efforts are underway to revise the manual.
DoD 5200.28-M addresses DoD requirements for the secure handling and disposal of memory and secondary storage media. While the Department of Defense requires the use of DoD Directive 5200.28 and DoD 5200.28-M by DoD components, the heads of DoD components may augment these requirements to meet their needs by prescribing more detailed guidelines and instructions provided they are consistent with these policies. DoD contractors and subcontractors who participate in the Defense Industrial Security Program (DISP) are required to comply with DoD 5220.22-M, Industrial Security Manual for Safeguarding Classified Information. [8] The Defense Investigative Service is responsible for the promulgation of the policy reflected in DoD 5220.22-M. Unlike these policy documents, A Guide To Understanding Data Remanence In Automated Information Systems does not provide requirements.
Sometime during the life cycle of an AIS, its primary and secondary storage may need to be reused, declassified, destroyed, or released. It is important that security officers, computer operators, and other users or guardians of AS resources be informed of the risks involving the reuse, declassification, destruction, and release of AIS storage media. They also should be knowledgeable of the risks inherent in changing the sensitivity level of AS storage media or of moving media from an installation with a specific security posture tone that is less secure. They should use proper procedures to prevent a possible disclosure of sensitive information contained on such media. ("Sensitive" in this document refers to classified and sensitive but unclassified information.) The procedures and guidelines in this document are based on research, investigation, current policy, and standard practice.
This guideline is divided as follows: Section 2 provides information on using this guideline and introduces DoD terminology. Section 3 discusses the use of degaussers and references the Degausser Products List (DPL), a listing of DoD evaluated degaussers. Section 4, "Risk Considerations," has information similar to that found in version 1 of this document, except for the modification of Section 4.2, "Effects of Heat and Age," and the addition of information on overwriting and degaussing. Section 5 addresses DoD endorsed erasure standards. Recently developed storage technologies and disk exercisers are discussed in Section 6. Section 7 addresses areas needing further investigation and provides references to additional information on the science of magnetics, as it pertains to magnetic remanence.
A series of research studies were contracted by the DoD to the Illinois Institute of Technology, Research Institute and completed in 1981 and 1982. They have confirmed the validity of the degaussing practices as applied to magnetic tape media. [19] Additional research conducted at the Carnegie-Mellon University using communication theory and magnetic modeling experiments designed to detect digital information from erased disks has provided test data on the erasability of magnetic disks. [11, 21, and 22] This work, along with DoD research that has not yet been released, provides the basis for the disk degaussing standard. More studies are planned or underway to ensure the adequacy of DoD degaussing standards.
On 2 January 1981, the Director of the National Security Agency assumed responsibility for computer security within the Department of Defense. As a result, the Department of Defense Computer Security Center (DoDCSC), officially chartered by DoD Directive 5215.1, was established at the National Security Agency. (3] The DoDCSC Division of Standards (now Division of Standards, Criteria, and Guidelines)
was subsequently formed and tasked to support a broad range of computer security
related subjects. The DoDCSC became the NCSC in 1985, as amended in National Security Decision Directive 145. [15] As part of its mission to provide information useful for the secure operation of AISs, the NCSC published the Department of Defense Magnetic Remanence Security Guideline, which is version 1 of this guideline.
Guidelines in this document have two degrees of emphasis. Those that are most important to the secure handling of AIS storage media have such wording as "the ISSO should . . . ." Guidance of lesser criticality has such wording as "it is good practice" or "it may be." Thus, the word "may" denotes less emphasis or concern than the word "should."
Clearing: The removal of sensitive data from an AIS at the end of a period of processing, including from AIS storage devices and other peripheral devices with storage capacity, in such a way that there is assurance, proportional to the sensitivity of the data, that the data may not be reconstructed using normal system capabilities, i.e., through the keyboard. (This may include use of advanced diagnostic utilities.) An AS need not be disconnected from any external network before a clear. [1, draft version]
Clearing can be used when the secured physical environment (where the media was used) is maintained. In other words, the media is reused within the same AIS and environment previously used.
In an operational computer, clearing can usually be accomplished by an overwrite of unassigned system storage space, provided the system can be trusted to provide separation of the storage space and unauthorized users. For example, a single overwrite of a file or all system storage, if the circumstance warrants such an action, is adequate to ensure that previous information cannot be reconstructed through a keyboard attack. Note: Simply removing pointers to a file, which can occur when a file is simply deleted in some systems, will not generally render the previous information unrecoverable through normal system capabilities (i.e., diagnostic routines).
Purging: The removal of sensitive data from an AIS at the end of a period of processing, including from AIS storage devices and other peripheral devices with storage capacity, in such a way that there is assurance, proportional to the sensitivity of the data, that the data may not be reconstructed through open-ended laboratory techniques. An AIS must be disconnected from any external network before a purge. [17]
Purging must be used when the secured physical environment (where the media was used) will not be maintained. In other words, media scheduled to be released from a secure facility to a non-cleared maintenance facility or similar non-secure environment must be purged.
Note: The purging definition allows a hierarchy of data eradication procedures, although current standards do not take advantage of this. That is, removing data with "assurance, proportional to the sensitivity of the data, that the data may not be reconstructed" implies that standards can be developed to be applied hierarchically. For example, a standard could be developed that allowed a security officer to degauss CONFIDENTIAL tapes by 80 db, SECRET tapes by 90 db, etc. Practice has shown, however, that this is not a feasible approach. Authorized clearing and purging procedures are detailed in DoD 5200.28-M and sometimes further amplified in DoD component regulations.
Declassification: A procedure and an administrative action to remove the security classification of the subject media. The procedural aspect of declassification is the actual purging of the media and removal of any labels denoting classification, possibly replacing them with labels denoting that the storage media is unclassified. The administrative aspect is realized through the submission to the appropriate authority of a decision memorandum to declassify the storage media.
Whether declassifying or downgrading the storage media, the memorandum should include the following:
from a recorded state to an unrecorded state. Coercivity values are available from the manufacturer or vendor.
Type I Tape: Magnetic tape with coercivity not exceeding 350 Oe (also known as low-energy tape), for example, iron oxide coated tape. Note: The maximum coercivity level has changed from 325 Oe to 350 Oe.
Magnetic disks, i.e., oxide particles on a metal substrate, also have varying coercivity levels. Research has shown, however, that the physical remanence properties of disks are easier to address. Because of this, disks are treated as Type I media and are discussed in more detail later.
Type II Tape: Magnetic tape with coercivity ranging from 351 to 750 Oe (also known as high-energy tape), for example, chromium dioxide coated tape.
The determination of the Types l and II definitions was largely a result of the tape manufacturing industry. Low-energy tapes were developed first, and they have coercivities around 300 Oe + 10%. The next generation tape was high-energy tape, whose coercivity is around 650 Oe + 10%. There have been no naturally occurring plateaus for which to define a Type Ill tape. As a practical matter, there are no degaussers that can yet meet the requirements of National Security Agency/Central Security Service (NSA/CSS) Specification L14-4-A for tapes above Type II. [13]
Type III Tape: Magnetic tape with coercivity above 750 Oe, for example, cobalt-modified iron oxide coated tape and metallic particle coated tape. This definition is provided so these media may be discussed.
Degausser: A device that can generate a magnetic field for degaussing magnetic storage media. A Type l degausser can purge Type I tapes and all magnetic disks. A Type II degausser can purge both Types I and II tapes. There are, at present, no Type III degaussers. Currently, all Type I, II, and III tapes may be cleared with a Type I degausser. However, Type III tapes with higher than the current maximum coercivity may be developed that would not be clearable with a Type I degausser. Refer to the DPL for Type III degausser availability. Section 3 discusses degaussers further.
Permanent Magnet Degausser: A hand-held permanent magnet that has satisfied the requirement to degauss floppy disks, disk platters, magnetic drum surfaces, bubble memory chips, and thin film memory modules. It is not used to degauss magnetic tape.
Object reuse can be implemented so that the address space that contained the object (file) is cleared upon deallocation (the net result is that unallocated address space is cleared) or upon allocation (the net result is that unallocated address space may contain data residue). (Note: There are other ways to implement object reuse which do not involve clearing.) Information from a common data storage pool cannot normally be retrieved through the keyboard.
Some comparisons have been made between trusted systems that satisfy the object reuse requirement and overwrite programs that do only clearing or purging; however, it should be noted that overwrite programs cannot be trusted in the same sense as trusted systems. This is primarily because of the environment in which overwrite programs must operate.
Trusted systems are designed with an object reuse mechanism that is protected and supported by the TCB, substantiating the degree of trust placed in the object reuse mechanism. Commercially available overwrite programs are usually designed to operate on several different systems and are not evaluated with the same rigor as trusted systems; however, any overwrite program should be protected from unauthorized modification. These two security features provide a similar aspect of data confidentiality but satisfy different computer security requirements.
Erasure via degaussing may be accomplished in two ways: in AC erasure, the media is degaussed by applying an alternating field that is reduced in amplitude over time from an initial high value (i.e., AC powered); in DC erasure, the media is saturated by applying a unidirectional field (i.e., DC powered or by employing a permanent magnet).
In some cases, adding another label to the tape could introduce the possibility of operator error in shops where the reel is already crowded with labels. Some facilities require the security officer to use the manufacturer's label to determine tape coercivity. In any case, strict inventory controls should be in place to ensure that tapes can be identified by type so the correct purge procedure is used.