Located in West Virginia, the Criminal Justice Information Services is the largest division of the Federal Bureau of Investigation (FBI), which manages the National Crime Information Center (NCIC), which holds the centralized crime-related database. This database can be accessed by federal and local enforcement bodies, background verification agencies, courts, probation officers, etc. Sensitive personal information like biometric data, identity, biographic and property data, or Criminal History Record Information (CHRI) is a part of the database. The CJIS Security Policy requires this information to be protected at all times, whether in transit or rest, and it must be destroyed once the data retention period is over. The CJIS Security Policy (CJISSECPOL) provides guidance for sanitizing media that contains CJI and other information in Section 5.8 MEDIA PROTECTION (MP) subsection 6 MEDIA SANITIZATION. Further, under this section, CJIS provides guidance on how digital media is to be sanitized using techniques like clearing, purging, cryptographic erase, etc. (as per NIST 800-88 Guidelines) to render information irrecoverable.
CJIS Media Sanitization Requirements | Section 5.8 of CJISSECPOL
Agencies with access to sensitive information must sanitize or destroy both physical and digital media before releasing it from their control, reusing them outside the agency, and disposing of them. Media sanitization ensures the permanent removal of sensitive information, making its recovery or restoration impossible. These requirements are applicable for digital media like laptops, desktops, drives, mobile devices, notebooks, etc., and physical media such as paper or microfilms. The details of this are mentioned on CJISSECPOL v5.9.4 Pages 139 & 140.
Agencies can choose the appropriate media sanitization method based on the sensitivity of the stored CJIS information. When dealing with media that contains publicly available information, Agencies can use their discretion. In 2021, at the request of the Advisory Policy Board (APB) and the Security & Access (SA) Subcommittee, the CJIS Security Policy Control Mapping was aligned with NIST SP 800-53 Rev. 5 to ensure standardized practices are followed.
NIST SP 800-53 refers to NIST SP 800-88 Guidelines for Media Sanitization, which recommends three techniques for media sanitization viz. Clear, Purge, and Destroy. However, for sanitizing media devices with ‘Classified Information’ the NSA (National Security Agency) media sanitization guidelines will be followed, and National Archives and Records Administration (NARA) policies will be used for sanitizing Controlled Unclassified Information (CUI).
The policy also recommends sanitization techniques like overwriting, in which existing data is overwritten at least three times, or degaussing, which is a physical technique that destroys data on magnetic drives by demagnetizing their magnetic field. Physical destruction techniques like shredding, cutting, or incineration can be used when sanitizing media devices that are inaccessible. This sanitization or destruction must be witnessed or carried out only by authorized personnel. Other methods like Cryptographic Erase and de-identification of Personally Identifiable Information (PII) are also effective in preventing information disclosure.
Although, the media sanitization section focuses on the secure disposal or repurposing of storage devices, information disposal is also required under other sections covered in the policy.
- Under Section 5.15 SYSTEM AND INFORMATION INTEGRITY – Subsection SI - 12 Information Management and Retention | Information Disposal Control, agencies should limit the collection, processing, and use of Personally Identifiable Information (PII) to the minimum required and securely dispose of information after its retention period is over using sanitization methods discussed above.
- Under Section 5.16 MAINTENANCE MA-2 Controlled Maintenance, any equipment that is leaving the agency control for off-site maintenance, repair, repurposing, replacement, or disposal must be sanitized before it leaves the facility to ensure that no data or information is compromised.
Penalties for Non-Compliance with CJIS Security Policy
Improper access or use of NCIC information is a serious criminal offense that can result in administrative sanctions, termination of services, and state & federal criminal penalties, the quantum of which may vary as per the offense. This also includes penalties levied due to improper media sanitization.
Ensuring Compliance with Media Sanitization Guidelines of CJIS Policy
Media sanitization is an important requirement under the CJIS Security Policy to prevent unauthorized access to Criminal Justice Information. As per the policy, agencies must follow NIST SP 800-53 Guidelines to ensure compliance, mitigate security risks, and avoid penalties. NIST 800-53 is a set of controls that helps safeguard sensitive data against various threats. For Media Sanitization, this framework refers to the NIST 800-88 Guidelines.
Responsible agencies and other stakeholders can use the below recommendations to ensure compliance with CJIS Media Sanitization Guidelines.
- Establish a Media Sanitization Policy: The policy should outline the data sanitization method to be used basis the media type and data classification. It should also mention the person authorized for media sanitization.
- Implement Approved Sanitization Methods: The organization must use device-appropriate sanitization methods like:
- Overwriting: This technique can be used on all types of drives and devices; however, NIST recommends using Secure Erase, Block Erase, and Cryptographic Erase commands on solid-state drives.
- Cryptographic Erase: This method can only be applied to devices that support encryption; for all other devices, it is not an effective sanitization method.
- Degaussing: This method can only be applied to magnetic drives, such as hard disk drives. Unlike HDDs, which rely on magnetic storage, SSDs and flash media use NAND memory, making degaussing ineffective.
- Maintain Sanitization Records: Reports and certificates of sanitization must be maintained for all devices. The Certificate of Destruction (COD) must contain details such as the drive serial number, the sanitization method used, the date, time & location of sanitization, name, and designation of the person performing media sanitization, etc.
- Employee Training: The agency should conduct regular training sessions for their employees, update them on the data handling policies, and provide guidance on device security & media disposal policies.
- Periodic Internal Audits: Agencies must conduct internal audits and review their data security policies. These audits help agencies review and update their policies according to evolving data security threats.
Solutions like BitRaser Drive Eraser is a secure and certified media sanitization software that ensures complete data destruction beyond recovery rendering the device reusable. The software-generated certificate of destruction helps in audits and meets compliance requirements. Additionally, BitRaser File Eraser helps agencies implement data minimization by securely erasing extra files and folders. BitRaser adheres to NIST 800-88 Clear & Purge methods, including Secure Erase, Block Erase & Cryptographic Erase method, thereby helping security agencies remain compliant with CJIS Media Sanitization Guidelines.
+1-844-775-0101
