Certified Media Sanitization

About our Media Sanitization Services

CAS provides certified media sanitization services to NIST 800-88 standard and can even offer guidance to organizations on implementing a Media Sanitization Program including classification and decision matrix workflows emphasized in the IEEE 2883 standard, as referenced in the recently published NIST SP 800-88 Rev.2 Standard. We focus on selecting the proper sanitization technique by risk classification, media type, and interface type that mitigates risk while enabling potential reuse oppurtunities (invernal vs external reuse scoping & risk analysis) that support extending the lifetime of your organization's technology infrastructure investments.

Sanitization Outcomes: Clear, Purge, or Destroy

• Clear: logical techniques intended to protect against simple non-invasive recovery methods (often used for many endpoint scenarios).
• Purge: stronger techniques intended to protect against more advanced recovery methods; includes modern device sanitize pathways where supported.
• Destroy: NIST defined destroy guidance by storage type as identified, when required by your policy, risk assessment scope, device constraints, or when Clear & Purge is not successful or known to not be feasible.
• We are transparent with our clients about the physical destruction techniques that meet NIST Destroy Standard or not for varying storage media type or device type.

Purge Workflows (Including Cryptographic Erase)

For compatible and qualifying devices & storage media, CAS offers NIST Purge workflows that can include device sanitize commands, sanitize block erase, sanitize overwrite, and Cryptographic Erase (CE) when encryption is properly implemented and key sanitization makes recovery infeasible. We also utilize TCG specifications and Vendor-Specific operations for Purge Sanitization compatibility and execution. CE can be an efficient pathway for modern storage when supported by device architecture and when your organization’s requirements allow it.

What types of Storage Media does CAS Handle?

• Hard Drives: HDD, SSD, SED (self-encrypting drives), & other storage media (ATA/SCSI/NVMe) found compute endpoints
• Other Magnetic Media: Floppy Disk, Flexible & Rigid Magnetic Disc, and Tape Media
• Hard Copy: Paper, microforms, printer & facsimile ribbons, drums and platens
• Optical Media: CD, DVD, Blu-ray, and other read-only access / read-write access Media
• USB Removable Media: Flash Drives, Memory Sticks, Thumb Drives, & any other SSD device that uses SCSI command host interface
• Memory Cards: SD cards, MMC, Compact Flash, MicroDrive etc
• Embedded flash on boards and storage devices: Motherboards and Peripheral Cards (Network adapters or any other adapter containing nonvolatile flash memory)
• RAM and ROM based storage devices: Such as DRAM, EAPROM, EEPROM
• Storage Devices with Embedded Storage: Networking Devices, Office Equipment, and Devices with built in storage
• Servers & rack equipment: Containing compute and networking internal storage components
• Mobile Devices: smartphones, tablets and cell phones

Network Equipment and Embedded Storage Handling

• For many network endpoints, Purge is not typically feasible due to architecture and storage constraints.
• We commonly scope those assets for NIST Clear (when appropriate) or route to Destroy based on organizational requirements.
• We document the selected method and final outcome so security and governance teams have an unambiguous record.

Verification, Exception Reporting, and Documentation

• Outcome records for Clear/Purge/Destroy decisions by media type and device class
• Exception reporting when media cannot be sanitized as scoped (with escalation to alternate method)
• Certificates of Media Sanitization and final disposition documentation for applicable equipment and storage devices
• Chain-of-custody handling practices designed to reduce breach-risk and support vendor oversight

Staying Ahead of Storage Technology and Long-Horizon Risk

• We stay current with storage capabilities across HDD/SSD/NVMe and select techniques consistent with device behavior.
• When considering cryptographic erase, if your data classification assumes sensitivity that must remain protected beyond 10 years from the present, we reccomend many organizations choose Destroy (or a different purge sanitization method) as a forward-looking risk posture as computing capabilities evolve.
• We scope sanitization method selection by device class so mixed loads get consistent outcomes, and select sanitization technique by command interface and/or device compatibility.

How Media Sanitization Services Differ From Data Destruction Services at CAS

• Media Sanitization includes successfully sanitizing qualifying media (Clear or Purge), with documented outcomes so devices can be reused (internally or externally) when appropriate. Media not qualified or failing clear / purge sanitization is subject to Destroy sanitization which uses state of the art techniques to physically destroy the media.
• Data Destruction Physical Destruction of devices with storage media or removed storage media designed for irreversible disposition when reuse is not simply not allowed or risk posture requires it.
• At CAS our Media Sanitization Services are typically used when an organization desires documented outcomes that report all storage media types found throughout different device categories. We focus on using vendor techniques and compatible sanitization techniques by command interface that can offer additional verification workflows after the data destrcution / media sanitization process.
• When Purge Sanitization is feasible & successful, CAS utilizes the most current sanitization techniques and commands by storage device type that will truly support stronger circularity outcomes resulting from extending device lifetime (inside or outside the organization), while maintaining defensible security handling.
• CAS helps organizations utilize new technology and tools that enable secure lifetime extending of devices and equipment that can also result in improved sustainability metrics that support the circular economy. CAS will always prioritize your organization's data security policies and regulatory compliance above any sustainability or reuse initiatives. Our sustainability counting require attatched, verified sanitization documentation for sensitive data bearing equipment, as CAS only supports secure reuse outcomes.

Need reuse/circularity outcome reporting and landfill diversion metrics for sanitized assets? See Sustainability Tracking.