Hey Y’all,

If it seems like this series is never ending, well, you’re close. There have been a lot of changes approved and more are on the way, and this is just part six of the first series! I’m hoping y’all are kinda paying attention to these “ramblings'' so you won’t be caught off guard. 

NOTE: These changes have been “approved”, not been published (as of 7/27/2022). We are waiting for the FBI Director’s signature to move forward. Additionally, there may be some minor differences in what I’ve pointed out and what gets published in the CJISSECPOL (by the way that’s the new acronym for the CJIS Security Policy.) I base these newsletters on the APB Topic Papers.

The Control for this newsletter is MP-6 Media Sanitization, and once again this one’s not really new. 

MP-6 Media Sanitization

Control:

a. Sanitize or destroy digital and non-digital media prior to disposal, release out of agency control, or release for reuse using overwrite technology at least three times or degauss digital media prior to disposal or release for reuse by unauthorized individuals. Inoperable digital media will be destroyed (cut up, shredded, etc.). Physical media will be securely disposed of when no longer needed for investigative or security purposes, whichever is later. Physical media will be destroyed by crosscut shredding or incineration; and

b. Employ sanitization mechanisms with the strength and integrity commensurate with the security category or classification of the information.

Discussion: Media sanitization applies to all digital and non-digital system media subject to disposal or reuse, whether or not the media is considered removable. Examples include digital media in scanners, copiers, printers, notebook computers, workstations, network components, mobile devices, and non-digital media (e.g., paper and microfilm). The sanitization process removes information from system media such that the information cannot be retrieved or reconstructed. Sanitization techniques-including clearing, purging, cryptographic erase, de- identification of personally identifiable information, and destruction-prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal. Agencies determine the appropriate sanitization methods, recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization.

Agencies use discretion on the employment of approved sanitization techniques and procedures for media that contains information deemed to be in the public domain or publicly releasable or information deemed to have no adverse impact on agencies or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing a classified appendix from an otherwise unclassified document, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing them from the document. NSA standards and policies control the sanitization process for media that contains classified information. NARA policies control the sanitization process for controlled unclassified information.

Related Controls: AC-3, AC-7, AU-II, MA-2, MA-3, MA-4, MA-5, SI-I2, SR-II.

I know I’m sounding like a broken record, but this is another one that is pretty much in line with the existing policy (just hang on, there's a whole bunch of new stuff coming.) You already knew you had to properly sanitize old hard drives prior to disposal, or physically destroy them. You already knew you had to cross-cut shred paper documents or burn them. If you continue to follow what you should have been doing all along, you’ll be OK.

As always if you have questions about these updates, CJIS ACE is there to help you understand them so you can be compliant. For CJIS ACE Insight customers, we’ll go through this together as Insight gets updated.

You can always learn more about what we at CJIS ACE can do for you and your agency. I’d enjoy a chance to talk with you; gimme a call or send me an email.

Y'all take care.