Required Procedures for the Sanitization and Disposal of Export Controlled Data and Technology

Does your company have a policy for safe disposal of your depreciated computers, cellular phones, PDA’s and other data storage devices that contain sensitive export controlled data? The purpose of this blog post is to take a moment to remind all of you that The Department of Commerce requires all hard drives and electronic devices that store export controlled data be thoroughly sanitized prior to disposal, transfer, or resale. What does sanitized mean? Well, the detailed guidelines for proper sanitization can be found in Special Publication 800-88 Revision 1 authored by the National Institute of Standards and Technology, a division of the U.S. Department of Commerce (NIST).

Publication 800-88 Revision 1 is complex and detailed, but let me highlight two areas of the document that warrant special attention. First, you should review of the Sanitization and Disposition Decision Flow Chart (Figure 4.1) on page 17. Details on how to classify data can be found in Standards for Security Categorization of Federal Information and Information Systems (FIPS 99), but suffice it to say all storage devices that contain export control documents should be considered under the category of “high security” for disposition requirements. For minimum sanitization recommendations based on various types of data storage devices you should reference Appendix A on pages 26-40 of Pub. 800-88 Revision 1. And finally, be sure to view Appendix G: Sample Certificate of Sanitization Form noted on page 56 of Special Publication 800-88.

For those of you who have a formal Export Management Compliance Program (EMCP) with accompanying corporate compliance manual, I would recommend implementing and using the Certificate of Sanitization Form as a standard policy/operational instrument within your export compliance program. Be sure to include procedures related to recordkeeping (i.e. 5 years minimum from date of disposal) and maintain copies of sanitization and disposal as part of your Compliance program.

For more details on Sanitization and disposal of fully depreciated/ready to be disposed electronic storage devices please see the linked document or contact TSI Global Consulting, LLC at 210-757-0618.


Share via emailShare on FacebookShare on Twitter