Federal agencies are required to follow regulations from NSA, NIST (800-171 requirement 3.8.3, 800-88), GSA, and DLA when disposing of electronic waste (e-waste) such as cell phones, tablets, servers, networking devices, data storage devices, and laptops.
NIST 800-88 outlines best practices, including classifying data before determining the best method of data sanitization. For end-of-life equipment, the prescribed options are to purge with certified software or destroy with a certified ITAD provider. In either case, federal government agencies and contractors must follow IT asset management best practices and obtain certificates of destruction.
The NIST guidelines recommend destruction as the approach for classified data, but based on our experience with several government agencies, data destruction could take months or even years due to delays in procurement and other bureaucratic challenges.
In a 2024 report, the Office of the Inspector General (OIG) uncovered security weaknesses at an FBI-controlled facility during media destruction. The audit revealed that sensitive devices, such as internal hard drives and thumb drives, containing unclassified law enforcement and classified national security information, were stored on pallets without adequate protection.
According to Dan Mattack, Certified Secure Data Destruction Specialist at Securis, “The findings underscore the importance of robust physical security measures to safeguard classified and sensitive data, the need to follow best practices for IT Asset Management, as well as the importance of at least employing one method of data sanitization such as purging (hard drives and solid state) or degaussing (tapes) while classified systems await physical destruction.”
After a NIST 800-88 purge has been performed, the preferred data destruction method for electronics containing classified data is to disassemble the equipment and disintegrate data-bearing devices and circuit boards to the NSA standards of 2MM. In most cases, this process requires two agency witnesses. If the classification is top secret or above and equipment must be transported before it is destroyed, this typically must be performed by an armed courier.
For smaller data sanitization projects at the secret classification level and below, a military grade storm case is a way to deliver equipment in locked and sealed containers. These cases are military tough and designed to be safe and secure in the harshest conditions. Classified information can be transported via storm cases from USPS or courier as long as protocols are followed.
Special Access Programs (SAP) may require that electronic components are incarcerated after devices have been disassembled and data-bearing devices have been degaussed/shredded (HDD) or disintegrated (SSD) to the NSA-prescribed methods of 2MM.
When looking for a certified ITAD provider, agencies should consider security, costs, and sustainability. Too much focus on cost or sustainability alone could lead to a dangerous breach while focusing on security alone could lead to budgetary challenges or failure to meet sustainability directives.
According to Jeremy Farber, CEO of Securis, “Who you choose in an IT Asset Disposal partner matters. For example, we once received Top Secret diagrams for a key U.S. Government building mixed in with our electronics recycling pick-up items. We regularly find data-bearing devices that customers miss. This is common in copiers and modern electronic devices with SD cards or drives on the motherboards. We also find drives missed by customers in servers and storage arrays. Separation of duties and our triple-check guarantee ensures timely and accurate inventories. The right partner significantly reduces the chance of a data breach.”
ITAD providers that have R2v3 certifications and follow best practices will be able to meet GSA e-waste directives. DLA Information Service certifications allow for the transport of military-critical technical data. Certified Secure Data Destruction Specialists can consult on best practices for IT Asset Management and Disposition. NAID AAA certifications require regular audits of security best practices.
Following best practices for cybersecurity is critical to protecting our national security. We must stay vigilant. Adversaries are constantly looking for ways to exploit our cybersecurity weaknesses to steal our technology, gain an advantage, and threaten our way of life.