Effects of the Recent NSA EPL Changes

October 17, 2019 at 8:00 am by Paul Falcone

Effects of the Recent NSA EPL Changes

Every so often, federal agencies are given new data destruction standards delivered by a mandate from the NSA’s Evaluated Product Lists (EPLs). NSA EPLs dictate how end-of-life data must be destroyed at a top secret and classified level — from paper to hard drives to key tape and more. The industry at large continues to work towards (and past) these most secure end-of-life mandates because they are updated as criminals find ways to extract data off smaller and smaller fragments of media previously thought to be impossible to reconstruct. For example, prior to November of 2018, DVDs were once considered thoroughly destroyed at a 5mm final particle size — but no longer. In fact, the new maximum final particle size for classified DVDs is 2mm, which is over 50% smaller than the previous acceptable final particle size. So as we near the end of 2019, what are the latest changes to the list and how do they affect the destruction of top secret and classified data?

nsa-blu-ray-requirement

Blu-ray and DVD Particle Size Changes

The biggest change on the most recent overhaul of the NSA EPLs in November 2018 was the announcement that the particle size for shredding DVDs would be changing from a 5mm particle size to a 2mm particle size. This mandate also stated that classified Blu-ray Discs (BDs) would for the first time be destroyed through shredding, whereas previously they could only be destroyed through incineration. The particle size requirement for BDs is the same as for DVDs – 2mm. The final particle size requirement for CDs remains at 5mm.

This change comes with a grace period, as the new mandate took agencies by surprise, with very few compliant machines currently available on the market. For the intelligence community, there is a three-year grace period. All other federal agencies will have six years to comply. This change also means there are no longer any NSA listed machines on the market that are able to destroy all classified optical and paper in one shredding chamber.

Changes to Throughput and Durability Tests

The NSA has also made a change in how they present information about both the throughput level of a machine and its one-hour durability test. The throughput level is no longer a specific number, but instead consists of a label of low, medium, or high volume. The one-hour durability test has been removed completely.

This change, however, comes with a caveat. The buyer should be aware that some less-than-scrupulous companies may take advantage of these more vague labels by advertising their machines with inflated throughputs. Therefore, when doing research on a data destroyer, it is imperative to look for companies with impeccable reputations and a history of honesty, as their integrity will be what ultimately dictates how they label the throughput of their machines.

Spreading the Word and Managing Budget

The difficulty with these changes is that while they ultimately keep data, and as a whole the citizens of this country, safe, it has been difficult to spread the word to every single organization that the NSA EPL ultimately affects. With top secret and classified data found in every federal agency and in a multitude of geographic locations globally, getting the news into the ears of every influencer and decision maker who handles security has proven challenging. For this reason, it is critical that commercial organizations involved in federal information security assist the government in spreading the word through their own channels such as email, blogs (like this one), trade shows, and seminars. In addition, federal employees involved with data security may find it a best practice to check the NSA’s website for EPL updates on a regularly scheduled basis.

The other challenge, shared by nearly every industry and individual in existence, is funding. As new mandates are pushed out by the NSA, agencies are often required to purchase new equipment to meet those mandates. A facility that may have had a combo shredder to destroy all of their classified paper, CDs, and DVDs would now need an entirely separate machine to securely shred their DVDs (and now Blu-ray Discs). And, at anytime in the future, that mandate could change again. It can sometimes end up feeling like a gamble, but when it comes to protecting the data and information found at the top secret level, it is imperative that federal organizations involved with secure data destruction budget for anticipated changes. These are far from the last mandates that will be released. As criminals continue to find increasingly sophisticated methodologies for extracting data, it is critical that the NSA stay one step ahead.

Staying Up to Date

Regulations will change, and then they will change again. When it comes to sensitive information and the NSA EPLs, the one constant is the criticality of protecting data when it reaches end-of-life so that America’s top secret and classified information does not fall into the wrong hands. Thanks to the NSA’s testing and EPL listings, the intelligence community and federal organizations at large can feel confident that their end-of-life information will remain confidential, providing peace of mind to our country’s agencies and citizens.

 

The NSA EPL: The Policy that Protects Your Data

June 14, 2019 at 6:40 pm by Paul Falcone

In today’s world the amount of personal data that is accessible in your hands continues to grow by the day. As our data grows, so does our security concerns about how our data is accessed and how it should properly be destroyed. Luckily, there is a guideline that continues to update the products that are proven to destroy data to the point of no return: The Evaluated Product List (EPL) by the National Security Agency/Central Security Service.

What is the NSA EPL?

The NSA EPL is a series of lists that breaks down what devices have been tested and approved by the NSA to meet the necessary physical destruction requirements for all types of data bearing media. Some of these final particle sizes for top secret data are a 1mm x 5mm final particle size for paper and a 2mm particle size for DVDs and Blu-ray Discs. There are seven lists total, as well as a guide that cover a variety of devices used to destroy different media that can hold and store sensitive data. The lists are as follows:

  • NSA/CSS Storage Device Sanitization Manual
  • NSA/CSS Evaluated Products List for Hard Disk Drive Destruction Devices
  • NSA/CSS Evaluated Products List for Magnetic Degaussers
  • NSA/CSS Evaluated Products List for Optical Destruction Devices
  • NSA/CSS Evaluated Products List for Paper Disintegrators
  • NSA/CSS Evaluated Products List for Paper Shredders
  • NSA/CSS Evaluated Product List for Punched Tape Disintegrators
  • NSA/CSS Evaluated Product List for Solid State Disintegrators

For links to the latest lists, click here.

Why is the NSA EPL Important?

On January 23, 1968 the U.S.S Pueblo was in international waters aiding South Korea and gathering and intercepting codes and messages from the North Koreans when the ship became under siege. Crew members attempted to destroy the cryptologic materials that were used to decode secret messages, with one man being killed and three wounded. The North Koreans ended up seizing the ship and all of its crew, keeping the 82 surviving members crew members captive for 11 months. The event represented the largest single loss of sensitive data in US history. It was this very event that actually inspired the creation of the very first SEM disintegrator, as SEM founder Leonard Rosen sought to find a solution for the navy to destroy data in case this ever happened again.

uss-pueblo
Original oil painting depicting North Korean attack by artist Richard DeRosset commissioned by SEM. North Korean ship and aircraft numbering is exact for the attacking forces.

On February 1st, 2003, the Columbia space shuttle tragically disintegrated upon reentering the earth’s atmosphere after 17 days in space. As the pieces of the shuttle burst into flame and hurled towards Earth at high speeds, a hard rive that contained data from the exhibition landed in a river bed in Texas. This hard drive stayed in the riverbed for over six months through all forms of weather until it was discovered and sent to Ontrack to attempt to recover the data.

A look inside the drive that fell from the Columbia shuttle

After a team of engineers got to work, they were able to reconstruct the rotational drive and recover over 99% of the data on the drive. A drive that fell from outer space, on fire, into a riverbed for over six months was able to have its data recovered.

What do these stories have to do with the NSA EPL? Without a set of standards, what people would consider destroyed, or how people would think data is protected, would be very, very, different from what is actually needed to ensure complete physical destruction. By having these standards and a push for devices that can meet these standards, data that needs to be protected to keep people safe around the world can be properly disposed of. This ranges from your own  Personally Identifiable Information (PII) to our nation’s and military’s largest secrets that protect millions of lives.

That means whether it’s designing destruction machines that fit specific dimensions of naval ships, or building a shredder that can destroy hard drives better than falling through the atmosphere, the NSA EPL has the specifications that ensure all data has a proper end-of-life solution.

At SEM, we take pride in being the global leader in high security end-of-life solutions. As such, we are constantly ensuring that our machines are meeting the latest standards provided by the NA, and using our expertise to educate the community at large to keep data of both the government and US citizens safe.

 

What’s the Scoop on the New NSA DVD/Blu-ray Disc Standard?

January 25, 2019 at 8:03 pm by Heidi White

nsa Blu-ray shredderThis past December, the NSA released a complete new set of Evaluated Products Lists for secure document/media destruction devices, all dated 06 November 2018.  Such an extensive new EPL posting was quite a surprise to end users and equipment makers.  Typically, these lists come out in one at a time, often with years between updates.  Seven of them released all at once was unusual and unexpected.

Even more of a surprise was a change in the particle size standard for destroying classified DVD and Blu-ray Discs (BDs).  The change, apparent in the new EPL for Optical Media Destruction Devices, states the new standard as “DVDs and BDs to a maximum edge size of 2mm or less.”  This sudden change has led to a flood of inquiries at SEM from government organizations, so it seemed a good time to address this particular change.

NSA listed DVD shredder
SEM Model 0202 OMD/SSD and OMD/SSD-C shred optical media to less than 2mm and are listed on the 2018 NSA EPL.

The existing CD particle size standard, “CDs to a maximum edge size of 5mm or less,” was not changed.  As a result, looking at the list of products on the EPL, there is a column noting the acceptable materials that indicates whether each device is good for CD, DVD, BD, as well as other non-optical materials for which some of those machines are certified. A key takeaway is that NSA listed optical media destroyers are no longer all the same in terms of what they can destroy.  Users will need to check the EPL to make sure all items they want to destroy are approved.  This could make for a lot of confusion when looking at products on the market.

Yet another uncertainty is the timeline for users to make a changeover.  The EPLs do not give a transition period to switch to new machines, or grandfather the use of existing equipment.  In the past, when the NSA changed a standard for shredders or media destroyers, there was some time allowed to comply.  So far, there has been no announcement of that for the new DVD/Blu-ray standard, but many government entities are hopeful for such an announcement.

What does this mean for the status of existing optical media destroyers in use and on the market? The change is significant.  The great majority of optical media shredders that are in use are no longer shown on the EPL as approved for DVD or Blu-ray.  This includes the most popular optical media shredders on the market and almost all document and multi-media disintegrators. Producing a 2mm particle with no oversized particles is simply not possible with those machines.

DVD NSA EPL
SEM Model 0200 OMD/SSD-C is a cabinet version of the NSA listed CD/DVD/BD shredder

Only a few machines on the EPL for optical media destroyers have approval for DVD and BD. Of those, most are solid state media destroyers, which are large, expensive machines that cost $65,000 and up.  Users seeking a compact, affordable machine to destroy optical media can choose a machine like the SEM Model 0200 OMD/SSD.  Even better is the recently announced version of this machine with a more office-friendly configuration, the Model 0200 OMD/SSD-C.  The new version will better suit most customers with its attractive cabinet and better sound proofing for the vacuum versus the tabletop style of the standard version.  Both versions of the 0200 grind optical discs (not just the surfaces) into the NSA required particle size, which looks like beach sand.  The waste is collected and bagged by a vacuum.  These devices are not quite as user friendly as standard optical media shredders, like the SEM Model 0201 OMD.  Users who only have CDs, no DVDs or Blu-ray, will surely be happier with a machine like the 0201 OMD.

As an aside, another change on the optical media destruction device EPL, and the other EPLs, is that the NSA is no longer publishing official throughput rates.  In recent years these rates were on the EPLs.  This was a way for folks to check the claims made by vendors on capabilities.  The EPLs now direct users to the manufacturers to get throughput data.  In terms of optical media, the rating in question is the number of discs per hour.

At the end of the day, the NSA EPL is the golden standard for all types of secure data destruction, whether government or commercial, and must be followed for the destruction of classified and top secret data. SEM has over 50 years of experience with the destruction of sensitive and secret data and is here to help anyone who has questions on or needs assistance with the new EPLs.

Bob Glicker, Mid-Atlantic Regional Sales Manager, has over 35 total years of sales experience with over 23 years of targeted government sales experience. Bob prides himself on providing the highest level of service to his government clients, and he enjoys working with key resellers. Bob received his BS in Chemistry from the University of Maryland, College Park. In his free time, Bob enjoys a variety of activities including gym workouts, cycling, reading, and listening to podcasts. He is also an avid science lover, an amateur juggler, a vegetarian, and the quintessential family guy.

NSA vs NAID – What’s the Difference?

November 29, 2018 at 3:41 pm by SEM

There are many different types of paper shredders in the marketplace today. Paper shredders are designed and manufactured to produce a variety of security end-results, known as the shred type or “size”. When shopping around, types such as strip shredders, straight-cut models, or cross cut shredders will stop to pop up. Straight-cut models abs cross cut shredders, though still available, are rarely used in the for high end security destruction due to their lack of data security protection from too much bulk waste generated from strip shredding. When it comes to security, the smaller the particle size the better, which is why when protecting classified or confidential information cross-cut shredders rule the shredding world.

Most organizations oversee some responsibility of security destruction, such as the National Association for Information Destruction (NAID), which requires that materials be destroyed to a particle or cross-cut end result. Almost every data regulation in the U.S. includes a requirement that organizations have written data protection policies and put procedures in place to protect their information. These organizations require that data protection processes are identified; however, there are no regulations in place that dictate any specific particle size that they must meet.

The National Security Agency (NSA) has the highest standard and requirements for destroying classified materials. The NSA evaluates tests and compiles a listing of approved shredders that meet their security standards for destruction. Some government agencies and shredder companies refer to this as a level 6 shredder but the NSA does not. The NSA/CSS Evaluated Products Listing for Paper Shredders is the ultimate guide of which the entire DoD community is governed for the destruction of one’s classified paperwork. This is the highest level of security shredding, where the shred sizes must not exceed 0.8 x 4mm. The NSA /CSS EPL are updated on an annual basis where shredders are added and ratings modified based on evaluations of retesting. Older shredder models are not removed from NSA EPL.

When dealing with the destruction of any classified material you are mandated by your own security destruction regulations to follow the NSA guidelines in purchasing an approved shredder from the NSA/Evaluated Products List. Not using an approved shredder could result in a failed security inspection.

With NAID standards you are required to use a particle or crosscut shredder and to follow the same specific guidelines should you elect to contract with a commercial destruction service that is NAID certified and will adhere to those same standards.

Bottom line: Know what your data security destruction requirements are and follow in accordance to what is governing your information destruction program.