Read time: 5 minutes

Summary: The goal of destroying CUI (Controlled Unclassified Information) is to make the information unreadable and irrecoverable by any person or forensic recovery tool. Acceptable methods for this are incineration, cross-cut shredding, degaussing, etc., while complying with the industry’s data destruction standards like NIST SP 800-88 Rev. 2.

The CUI, or Controlled Unclassified Information, is any type of information (physical or soft) that is created by or for any federal-related activity. And this information must be destroyed as per the standard set by NARA (National Archives and Records Administration).

You cannot destroy a CUI with the basic file deletion methods like throwing it into the dustbin or just formatting the drive. The CUI requires stricter and specified destruction methods like incineration, degaussing, shredding documents into 1mm by 5mm small chunks, cryptographic erasure, and more.

The Primary Goal of Destroying CUI: Rendering Data Unrecoverable

According to NARA, the goal of destroying CUI is to turn any data marked or identified as CUI into:

  • Unreadable: No human or machine should be able to read it or make out even a tiny bit of information from it after destruction.
  • Indecipherable: The CUI must be fragmented or disintegrated on such a level that even if some high-tech tool retrieves raw data from it, it must be impossible to understand.
  • Irrecoverable: No forensic recovery tool or modern data reconstruction tools must be able to recover data from hard drive, SSD, USB, etc., media.

All of this is crucial to keep the data secure and away from the wrong hands. Because if you don’t, things like these can happen:

  • A single piece of paper is not much of a threat. But the accumulation of 1000 papers falling into some secret organization (working for other countries) can deduce information from it to affect national security.
  • Most companies sell the hardware after a project is turned off or completed. Any data remanence can lead to large-scale data leaks. The purpose of destroying CUI is to make sure this doesn’t happen.

Mandatory Compliance Frameworks for CUI Disposal

The data deletion method you choose must satisfy these two frameworks:

  • 32 CFR Part 2002: This is an official set of guidelines given by the NARA that every government or private organization must follow.
  • NIST SP 800-88 Rev. 2: It tells you how to carry out the destruction of unclassified information. You have three levels: clear, purge, and destroy.

Make sure the company that is handling your data deletion task knows what is goal of destroying CUI? And follows the above standards to receive a valid Certificate of Destruction (COD).

How to choose the best method for CUI destruction?

It depends on your requirement (the type of information you want to purge). Refer to this table to know which method is best for your scenario.

Method How to Do Use When
Clear Use a data wiping tool to overwrite every bit of information. You want to wipe data but keep the storage media usable.
Purge Use degaussing to reset the magnetic fields of your HDD, SSD, USB, etc. You are going to sale, donate, or move the media device.
Destroy Shredding, incineration, etc. Making data & storage devices both unrecoverable.
Cryptographic Erasure (CE) Encrypt the data and delete the encryption key. Destroying CUI stored on the cloud infrastructure.

How to Destroy Digital and Physical CUI?

Use these methods to safely destroy every piece of data.

  1. Clear: Use powerful file shredder software for overwriting media files. Choose a tool that follows the industry standard for wiping the storage media, making data unrecoverable. I personally use the Kernel File Shredder because it offers multiple pass data wiping methods.
  2. Purge: Sanitize your device (hard disks) using techniques like degaussing to reset the magnetic structure/pattern. It will make data unreadable, even with a forensic data recovery tool. And for SSD users, you can use the manufacturer’s own data erasure tool to factory reset the SSD.
  3. Destroy: It is the most high-level data destruction where you destroy the data or device physically.
    • Shredding: Use certified paper shredders that can trim the page into 1mm by 5mm size. If shredding an SSD or USB chip, use a machine that can reduce it to tiny bits of size 2mm or smaller to make sure every memory chip is unusable.
    • Incineration: Another highly effective method to meet the goal of destroying CUI is burning the information under a licensed facility until it reduces to ash.
  4. Cryptographic Erasure (CE): If your data is on cloud, physical shredding or incineration is out of scope. In such a case, encrypt the data and then securely delete the encryption key. This will make data decryption impossible by any means.

What verifies a successful CUI destruction?

In an audit, you must show the proof to justify that you have successfully destroyed the data. Failing to do so can make you liable for any future data spillage event. Make sure to maintain a Chain of Custody record that correctly contains the flow of the information media from the moment it was marked for destruction.

Moreover, make sure to obtain a Certificate of Destruction that has this information without fail:

  • Media type, model name, and serial number.
  • Techniques used to destroy CUI and verification via samples that prove data recovery is impossible.
  • Date of the destruction and who performed the process with signature.

Achieving CUI Destruction: From Regulation to Execution

Quickly formatting the data is not enough for a CUI, marked for destruction. Use the techniques given by NIST SP 800-88 Rev. 2. The goal of destroying CUI is not making data invisible but purging it. Make sure to verify the recovery state of data; it must be unrecoverable with no trace of data remanence. And obtain your Certificate of Destruction while following a flawless Chain of Custody.

Free Download 100% Secure

Frequently Asked Questions

Q. What if you fail to comply with the framework?

A. Failing to follow the proper CUI destruction process can lead to legal troubles. Your organization may also lose any ongoing contract with the government and may even have to pay a heavy fine in certain situations.

Q. Why choose a licensed tool or organization for CUI destruction?

A. Organizations must avoid DIY data destruction. As per reports, more than 40% of employees make mistakes in handling data sanitization, leading to issues. Always hire professionals and secure a COD certificate after data purging.

Q. Is “deleting” or “formatting” a drive enough to destroy a CUI?

A. No. When you format or delete data from hard drive or SSD, you only remove the file index. You can recover the deleted files with a specialized tool. Thus, deleting the data is not nearly enough to destroy a CUI.

Data Wipe Software
Related Posts
Securely delete files on Windows 11 and 10
Securely delete files on Windows 11 and 10
Easy methods to wipe a hard drive without deleting Windows
Easy methods to wipe a hard drive without deleting Windows
Why file shredding is important in organizations?
Why file shredding is important in organizations?