How Does NAID AAA Certification Intersect With NIST 800-88? (Part 2)

March 25, 2021

This is the second blog of a two-part series. The first installment provided a perspective on the relative differences in NAID AAA Certification and NIST 800-88 and its overlap with physical media destruction requirements. This installment, addresses the implications of the same on electronic media erasure.

Though reading Part 1 of this series is not absolutely critical to the points made below, there are issues covered in it, I will not address below. In that regard, I do recommend reading Part 1 first.

Many reading this will remember when the NIST 800-88 specifically addressed electronic media sanitization. I believe the original title was Guidelines for the Electronic Media Sanitization. They have since dropped the “electronic,” indicating it is guidance for the sanitization of all media.

The change was appropriate. Even under the old title, NIST 800-88 had an appendix suggesting the particle size requirements for all media (as discussed in detail Part 1).

I point out the name change here only to explain why NIST 800-88 has obtained the most traction in the I.T. Asset Disposal realm. Of course, the other reason is that NIST 800-88 does, in fact, speak mostly to the issue of electronic media erasure than it does to hard copy sanitization.

I mentioned in Part 1, and in half a dozen articles over the years, I have nothing but respect for the work of the professionals who created it and the guidance itself.

It is not the guidance that is the problem, it is in its susceptibility to be misused by service providers and misapplied by clients.

As NAID AAA Certification rose to prominence as the most widely accepted data destruction certification, we began to see non-certified vendors claim to meet our specification. They were not saying they were NAID AAA Certified, but rather that they met all the requirements.

Of course, it is very easy for i-SIGMA to put a stop to such false claims since being subject to our scheduled and unannounced audits is one of the requirements.

Unfortunately, NIST 800-88 does not include or control a third-party audit requirement. This is not the fault of the guidance itself. It was never meant to be an audit regime in the first place. However, given the nature of the guidance, there is nothing to keep any ITAD service provider from claiming NIST 800-88 compliance. Maybe they are compliant, maybe not. There is no way to tell.

And even where there is some form of third-party verification of NIST 800-88, it is important to understand NIST has not sanctioned or endorsed the audit methodology itself.

It is also worth noting that NAID AAA Certification’s third-party verification of overwriting and degaussing efficacy relies on a double-blind evaluation, where neither the applicant nor the forensic lab has any knowledge of the others identity. This is dramatically more rigorous than a service provider paying their own auditor and forensics lab as part of internal quality control.

When it comes to answering the question does NAID AAA Certification validate NIST 800-88,  the answer is “no” and “yes, and much more.”

No: NAID AAA Certification does not specifically reference compliance to the NIST 800-88 Guidance on Media Sanitization, and that being the case, it cannot claim to verify compliance with the guidance itself.

Yes, and more: Not only do NAID AAA audits subject overwritten and degaussed devices to double-blind forensic evaluation of electronic memory devices (which goes beyond guidance offered in NIST 800-88) it also includes a physical audit of more than twenty other security and regulatory compliance issues that fall outside the NIST 800-88 scope.

This is important because, while there are no data protection regulations that specify NIST 800-88, compliance with data protection regulation does require service providers to screen and train employees, to limit access, to demonstrate care and custody, to have specific language in their policies and procedures related to breach notification and, increasingly, data subject response.

And, to assuage any doubt about the integrity and thoroughness of the NAID Electronic Media Erasure specifications, it was NIST 800-88 Guidance that adopted the dual technician recommendation in 2014 from the same requirement originally included in NAID AAA Certification in 2008. In fact, in the case of overwriting magnetic media, NAID AAA also requires service provider quality control to rely on separate software or appliance than the software used to perform the original wiping.

None of this is intended to diminish the work of the NIST 800-88 Guidance. It is intended to “guide” organizations on the proper sanitization of media, and it does a very good job of that. We take no issue with the guidance on that front.

The problem results where clients (and service providers) attempt to invoke NIST 800-88 compliance as a vendor selection criterion.

It was never intended to do that.

Written by Bob Johnson | 26 March 2021