INFORMATION TECHNOLOGY (IT) MEDIA SANITIZATION
(CT:IM-323; 06-20-2024)
(Office of Origin: DT/ECISO/PLT)
5 FAM 1681 GENERAL INFORMATION
(CT:IM-314; 04-16-2024)
5 FAM 1681.1 Authority
(CT:IM-323; 06-20-2024)
Authorities for this subchapter are:
(1) NIST Special Publication (SP) 800-88, rev.1, "Guidelines for Media Sanitization;"
(2) 1 FAM 210 Bureau of Administration;
(3) 1 FAM 260 Bureau of Diplomatic Security;
(4) 1 FAM 270 Bureau of Diplomatic Technology; and
(5) 14 FAM 400 Asset Management.
5 FAM 1681.2 Purpose
(CT:IM-286; 04-25-2022)
These regulations establish the Department of State's (Department) IT media sanitization policy, including process management enforcement, policy owners for Department media sanitization processes, program management roles and responsibilities, and roles of other key officials responsible for IT media sanitization. IT media sanitization refers to the process that renders data written on media unrecoverable by both ordinary and extraordinary means.
5 FAM 1681.3 Scope
(CT:IM-314; 04-16-2024)
This policy applies to all media used, stored or operated by the Department, by a contractor of the Department, or by another organization on behalf of the Department, either domestic or abroad, regardless of its final destination. This policy applies to both classified and unclassified IT media.
5 FAM 1681.4 Definitions
(CT:IM-314; 04-16-2024)
Cryptographic erase (CE): Media sanitization is performed by sanitizing the cryptographic keys used to encrypt the data, as opposed to sanitizing the storage locations on media containing the encrypted data itself.
Degauss: To reduce the magnetic flux to virtually zero by applying a reverse magnetizing field; also called demagnetizing. Degaussing any magnetic hard using approved degaussers renders the drive permanently unreadable and unusable
Destruction: The result of actions taken to ensure that media cannot be reused as originally intended and that information is virtually impossible to recover or prohibitively expensive.
Disintegration: A physically destructive method of sanitizing media; the act of separating into component parts.
Disposal: Disposal is the act of discarding media with no other sanitization considerations. This is most often done by paper recycling containing non-confidential information but may also include other media.
Incineration: A physically destructive method of sanitizing media; the act of burning completely to ashes.
Media: Plural of medium. See medium definition.
Medium: Material on which data is or may be recorded, such as paper, punched cards, magnetic tape, magnetic disks, solid state devices, or optical disks.
Physical destruction: Intent is to destroy the media. Can be accomplished using a variety of methods, including disintegration, incineration, pulverizing, shredding, and melting.
5 FAM 1682 RESPONSIBILITIES
(CT:IM-314; 04-16-2024)
5 FAM 1682.1 Chief Information Officer
(CT:IM-323; 06-20-2024)
a. The CIO, as delegated by the Secretary of State, has all authorities and functions vested in the agency head for the following authorities: Federal Information Security Modernization Act (FISMA), Federal Information Technology Acquisition Reform, Executive Order 13833 of May 15, 2018, or any other information technology statute, regulation, Executive Order, or other provision of law that vests or will vest information technology authorities in the Secretary of State.
b. The CIO serves as the head of the Bureau of Diplomatic Technology (DT). DT is responsible for providing the IT services that the Department needs to successfully carry out its foreign policy mission. DT is the process owner for media sanitization and has clear responsibility and authority for ensuring IT media are properly sanitized before disposal.
5 FAM 1682.2 Enterprise Chief Information Security Officer (E-CISO)
(CT:IM-314; 04-16-2024)
a. The E-CISO is designated by the CIO to carry out the CIO’s responsibilities under FISMA and its related mandates, including developing, implementing, and maintaining an agency-wide Information Security Program.
b. The E-CISO must ensure the requirements of the information security policy, regarding information disposition and media sanitization, are implemented and exercised in a timely and appropriate manner throughout the organization.
5 FAM 1682.2-1 Office of Policy, Liaison, and Training (DT/E-CISO/PLT)
(CT:IM-323; 06-20-2024)
On behalf of the E-CISO, PLT:
(1) Oversees and addresses the Department’s policy and governance program related to integrating current federal cyber security technology requirements and compliance policies into information technology initiatives, to include media sanitization;
(2) Plans, analyzes, and evaluates a variety of sensitive high-profile information assurance actions that are of direct and immediate concern to the Department;
(3) Disseminates messaging as needed for relevant policies and procedure changes involving media sanitization;
(4) Ensures this policy is reviewed and update at least annually, so that it reflects current federal requirements of IT media sanitization; and
(5) Ensure any changes to this policy are coordinated with relevant media sanitization Overseas Policy Board (OSPB) standards (12 FAH-6 H-540).
5 FAM 1682.2-2 Local Area Network (LAN) and Wide Area Networks (WAN) Service (DT/FO/ITI/LWS) Division
(CT:IM-323; 06-20-2024)
The LAN and WAN Service (LWS) division maintains the Department’s LAN/WAN infrastructure and associated supporting technologies. LWS also provides disposal services for various classified and unclassified excess IT equipment.
5 FAM 1682.3 Bureau of Administration, Office of General Services Management, Support Service Division, Operations Support Branch (A/OPR/GSM/SS/OSB)
(CT:IM-286; 04-25-2022)
A/OPR/GSM/SS/OSB provides services for the disposal of classified waste material.
5 FAM 1682.4 Bureau of Administration, Records and Archives Management Division (A/GIS/IPS/RA)
(CT:IM-314; 04-16-2024)
a. A/GIS/IPS/RA formulates and oversees the implementation of Department policy and guidance on record keeping in accordance with the Department's strategic plan, Congressional mandates for all electronic and non-electronic records, National Archives and Records Administration regulations, standards and guidance, and appropriate national and international professional records/information management standards.
b. A/GIS/IPS/RA provides technical assistance and guidance to the Department and posts on information life cycle of records to improve operations and protect information resources.
5 FAM 1682.5 Bureau of Diplomatic Security, Cyber and Technology Security, Office of Technology, Innovation and Engineering (DS/CTS/TIE)
(CT:IM-314; 04-16-2024)
DS/CTS/TIE is responsible for:
(1) Developing security standards, baselines and/or procedures in support of this policy; and
(2) Assessing, via their Regional Cybersecurity Officer (RCSO) program, approved media sanitization service providers to validate compliance with this policy and supporting standards.
(3) Ensure any changes to relevant media sanitization Overseas Policy Board (OSPB) standards (12 FAH-6 H-540) are coordinated with this policy.
5 FAM 1682.6 Management/Supervisor Responsibilities
(CT:IM-314; 04-16-2024)
Managers and supervisors with media sanitization management responsibilities or who supervise those with media sanitization management responsibilities are responsible for:
(1) Identifying and designating an individual under their supervision to perform IT media sanitization activities listed in 5 FAM 1682.6-1, in addition to their regular duties;
(2) For all media requiring secondary verification, identify and designate an individual under their supervision to perform verification according to 5 FAM 1682.6-2. A single individual cannot perform both media sanitization and verification activities on the same media. This secondary verification provides assurance that sanitization is successful;
(3) Ensuring all employees under their supervision performing media sanitization and/or verification duties are at a minimum secret-cleared U.S. citizens.
5 FAM 1682.6-1 Media Sanitization Responsibilities
(CT:IM-314; 04-16-2024)
Individuals performing media sanitization activities are responsible for:
(1) Ensuring adherence to the minimum standards provided in the Department’s Media Sanitization Security Standard (M3S);
(2) Ensuring scheduled maintenance of sanitization equipment is conducted and equipment is tested and calibrated as needed;
(3) Verifying the operational effectiveness of the sanitization equipment prior to performing media sanitization activities;
(4) Sanitizing the media according to requirements listed in this FAM, or delivering the media to appropriate locations, as designated in this FAM to provide media sanitization services;
(5) Ensuring all media is tracked from the time it is released from the owner’s control to the time of disposal; and
(6) Using tracking methods provided by the media sanitization service provider or, in the lack of established tracking procedures, establishing their own tracking methods consistent with M3S minimum requirements.
5 FAM 1682.6-2 Media Verification Responsibilities
(CT:IM-314; 04-16-2024)
The individual designated to perform secondary verification of media sanitization is responsible for:
(1) Ensuring Department media has been appropriately sanitized prior to disposal, release from Department control or reissuance to another Department user, in accordance with 5 FAM 1682.6 and the M3S; and
(2) Notifying DS/CTS/TIE in the event any device fails a validation check.
5 FAM 1682.7 Media Sanitization Service Providers Responsibilities
(CT:IM-323; 06-20-2024)
Media sanitization service providers (e.g., a regional destruction facility) must:
(1) Be approved by DT/CO/ISSO and DS/CTS/TIE to provide media sanitization services for the Department;
(2) Appropriately sanitize Department media prior to disposal, release from Department control, or release for reuse by another Department user, in accordance with 5 FAM 1682 and the M3S;
(3) Adhering to periodic RCSO inspections and correct reported findings;
(4) Tracking, documenting, and verifying media sanitization and disposal actions;
(5) Establishing SOPs, if necessary, detailing local procedures not detailed in the M3S for:
(a) IT media sanitization;
(b) Sanitization validation;
(c) IT Media tracking and transport;
(d) Use and testing of sanitization equipment; and
(6) For media sanitization services outsourced to approved media sanitization and destruction vendors, it is the responsibility of the bureau or office seeking to engage in outsourcing to ensure the approved service providers adhere to all requirements detailed in this FAM. Potential media sanitization and destruction facilities may include, for example, other U.S. government destruction facilities.
5 FAM 1683 THROUGH 1689 UNASSIGNED