Disk Clearing and Disk Sanitization Action Plan for Success NetApp - Proprietary & Confidential

Where is Disk Clearing and Disk Sanitization Defined? US Department of Defense Standard “ISFO Process Manual V3 14 June 2011” Defacto standard for Disk Clearing and Disk Sanitization. Has been revised several times and has had several name changes. They are all outdated and should no longer be referenced. “DOD 5220.22-M NISPOM” “NIST Special Publication 800-88 Guidelines for Media Sanitization” “ODAA Process Guide for C&A of Classified Systems under NISPOM” NetApp - Proprietary & Confidential

What is Disk Clearing / Disk Sanitization? A procedure by which classified information is removed in such a manner that known non-laboratory attacks (i.e., keyboard attacks) will be unable to recover the information. Disk Sanitization A procedure by which classified information is completely removed and even a laboratory attack using known techniques or analysis will not recover any information. Sanitization of memory and media is required if a system is being “released” to users with access level lower than the accreditation level. Note that memory is required to be overwritten as well for both. The tools available to the NetApp PSE/PSCs don’t include a method to overwrite a NetApp storage controller’s memory. Acceptable methods of disk destruction include incineration, grinding/sanding the surface to dust, smelting, or acid. Shredding and degaussing are not acceptable methods of disk sanitization through destruction. Requirements for tracking disks once they are sanitized is included in the standard. NetApp doesn’t do tracking of disks once they are returned. The preferred term to describe the NetApp service offering is “Disk Erasure”, not “Disk Clearing”, or “Disk Sanitization”. NetApp - Proprietary & Confidential

How Can This be Done in DataONTAP? Disk Sanitization Command Requires a special zero dollar license. Can not be uninstalled without reloading DataONTAP. Disk Clearing Operations Overwrite all addressable locations with a single character utilizing an approved overwrite utility. Disk Sanitization Operations Overwrite all addressable locations with a pattern, and then its complement, and finally with another unclassified pattern. Above counts as three cycles, sanitization is not complete until three cycles are successfully completed. Once complete, there is a requirement to verify a sample. Tools to verify a sample of disk are not available to NetApp PSE/PSCs. If any part of the disk can not be written to, the disk must be destroyed, according to DoD standards. NetApp does not make a service available for disk destruction; however, NetApp does have an offering for non-returning of disks. An acceptable set of patterns to use is supplied in the US Department of Defense document. Use of a random pattern is no longer part of the disk sanitization requirements. Three passes of a single set of writes is clearly called out in the current standard. The documentation clarifies that the standard is not three of each pass, for a total of 9 writes as was mistakenly assumed by numerous implementers in the past. NetApp - Proprietary & Confidential

What are the DataONTAP Commands? Disk Clearing Command disk sanitize start -f -p 0x00 -c 1 DISK Disk Sanitization Command disk sanitize start -f -p 0x00110101 -p 0x11001010 -p 0x10010111 -c 1 DISK Important Notes It is only possible to run the disk sanitization command against a single disk. The disk sanitization command can not be run on broken or failed disks. The customer may request that NetApp perform a ‘Disk Sanitization’ even without the ability to sanitize the storage controller cluster’s memory. NetApp PSE/PSCs only perform “Disk Clearing”, as there are significant requirements for tracking disks once they have been “Sanitized”. NetApp - Proprietary & Confidential

What are the Specific Tasks? Get signoff from the customer to sanitize a system. Need to ensure that the customer understands that this operation can not be undone. See sample signoff text, select the one based upon if this is a paid engagement or not. Install Disk Sanitization license on the NetApp storage controller. Make sure that the motherboard, shelf and disk firmware are up to date. Remove all failed disks from the storage controller. These disk will need to be disposed of by the customer. If all disks are part of a single root aggregate, you will need to build a new volume and aggregate composed of a minimal number of disks. Copy the active root volume to the newly created aggregate. Make the new root volume the boot volume. Reboot the storage controller to make the change live. Destroy all aggregates, except for the root aggregate. Destroy all volumes, except for the root volume. Run the appropriate DataONTAP command for each disk to start the disk clearing or sanitization process. Wait for process to complete. Progress can be checked via the “disk sanitize status” command and the “sysconfig –r” command. Make note of disks that fail the sanitize process. They will need to be removed and disposed of appropriately by the customer. Note that there may be an additional charge for non-return of disks. Capture the final output of the “sysconfig –r” command. Reboot the system to maintenance mode and perform a 4a. Fill out the statement of completion. See attached sample, select the sample text based upon if this is a paid engagement or not. NetApp - Proprietary & Confidential

Authorization For Disk Erasure The customer, REPLACE_NAME_HERE requests that disk erasure work be performed according to US Department of Defense Standard ISFO Process Manual V3 14 June 2011 on the following NetApp storage controllers: REPLACE_NAME, SN# REPLACE_SSN The customer understands that the disk erasure process is non-reversable once started and all existing data on the storage controllers named above will be non- recoverable. This work will be performed under NetApp purchase number REPLACE_PO_NUMBER. Signed for Customer: _________________________ Print name: _________________________ Date: _________________________ NetApp - Proprietary & Confidential

Authorization For Disk Erasure The customer, REPLACE_NAME_HERE requests that disk erasure work be performed according to US Department of Defense Standard ISFO Process Manual V3 14 June 2011 on the following NetApp storage controllers: REPLACE_NAME, SN# REPLACE_SSN The customer understands that the disk erasure process is non-reversable once started and all existing data on the storage controllers named above will be non- recoverable. This work will be performed without charge to the customer. Signed for Customer: _________________________ Print name: _________________________ Date: _________________________ NetApp - Proprietary & Confidential

Completion of Disk Erasure Work Disk erasure work was performed on the following NetApp storage controllers using the built in DataONTAP tools: REPLACE_NAME, SN# REPLACE_SSN The process followed meets the disk clearing requirements detailed in the US Government publication, “ISFO Process manual V3 14 June 2011”, the generally accepted industry accepted authority on device erasure. This work was performed without charge to the customer. Signed for Customer: _________________________ Print name: _________________________ Date: _________________________ NetApp - Proprietary & Confidential

Completion of Disk Erasure Work Disk erasure work was performed on the following NetApp storage controllers using the built in DataONTAP tools: REPLACE_NAME, SN# REPLACE_SSN The process followed meets the disk clearing requirements detailed in the US Government publication, “ISFO Process manual V3 14 June 2011”, the generally accepted industry accepted authority on device erasure. This work was performed done under NetApp purchase number PO # REPLACE_PO_NUMBER. Signed for Customer: _________________________ Print name: _________________________ Date: _________________________ NetApp - Proprietary & Confidential