The Internal Revenue Service (IRS) is the Federal Revenue Service Department of the United States government responsible for collecting US federal taxes and implementing federal tax laws in the country. Publication 1075, the Tax Information Security Guidelines from the IRS, outlines the measures required by IRC (Internal Revenue Code) § 6103(p)(4)(F) for users of Federal Tax Information (FTI) to safeguard its confidentiality following its use. All federal, state, and local agencies must implement these safeguards to meet Federal Tax Information (FTI) Compliance. Section 2.F of the publication covers 'Disposing of Federal Tax Information,' with 'Sub-section 3.1' specifically focusing on the Media Sanitization Guidelines. Further, sub-section 'MP-6 (Media Sanitization)' of Media Protection (Section 4.10) recommends using NIST SP 800-88 approved procedures to sanitize FTI stored on digital and non-digital media.
Detailed information regarding IRS Media Sanitization Guidelines is on the website under the Safeguards Program (Office of Safeguards). According to the guidelines, federal, state, and local agencies must ensure that all FTI-bearing media is sanitized before it is disposed of or reused. The recommended methods for sanitizing include Clearing, Purging, and Destroying. The selection of the sanitization method depends on the media's future intended usage, i.e., Will it be reused within the agency? Or Will it leave the agency? Additionally, the guidelines guide agencies in sanitizing media in outsourced or state-run data centers.
IRS-Recommended Media Sanitization Methods
The requirements for Media Sanitization remain consistent regardless of whether the media is within the agency or at an outsourced data center location. IRS-recommended methods for Media Sanitization are based on NIST 800-88 techniques, viz. Clear, Purge, and Destroy.
- Clear: This is the basic level of media sanitization, which involves techniques like overwriting to safeguard sensitive data against keyboard attacks from standard input devices.
- Purge: This sanitization method involves the Secure Erase command (for ATA drives only), degaussing, etc., to safeguard sensitive data against sophisticated laboratory data recovery attempts. Officials would need trained personnel to perform purge.
- Destroy: This is the ultimate form of media sanitization the IRS recommends for destructing FTI. It involves techniques like disintegration, pulverizing, melting, shredding, etc., to physically destroy FTI-carrying media. However, this method is environmentally unsustainable and must be applied when the media is not to be reused.
Media Types & Recommended Sanitization Methods
IRS recommends two factors to be considered when deciding the sanitization method for FTI-bearing media.
- For Media Within the Agency Control
- To be Reused with FTI: Clear
- To be Reused without FTI: Purge
- Not to be Reused: Destroy
- For Media Outside the Agency Control
- To be Reused with FTI: Purge
- To be Reused without FTI: Purge
- Not to be Reused: Destroy
It is important to note that the IRS states, "Studies have shown that most of today's media can be effectively cleared and purged by one overwrite using current available sanitization technologies." Furthermore, the sanitization method also depends on the type of media to be sanitized.
Media Type & Sanitization Method
|
S.No.
|
Media Type
|
Media Sub Type
|
Clear
|
Purge
|
Destroy
|
1
|
Magnetic Media
|
Floppy Disks
|
Overwrite
|
Degauss
|
Incinerate
Shred
|
Hard Drives
|
Overwrite
|
Secure Erase
Degauss
Disassemble & Degauss
|
Incinerate
Shred
Pulverize
Disintegrate
|
Zip Drives
|
Overwrite
|
Degauss
|
Incinerate
Shred
|
SCSI Drives
|
Overwrite
|
Secure Erase
Degauss
Disassemble & Degauss
|
Incinerate
Shred
Pulverize
Disintegrate
|
Reel and Cassette
|
Overwrite using a system similar to the one used for original recording
|
Degauss
|
Incinerate
Shred
|
2
|
Flash Media
|
USB
|
Overwrite
|
NA
|
Incinerate
Shred
Pulverize
Disintegrate
|
Memory Card
|
Overwrite
|
NA
|
Incinerate
Shred
Pulverize
Disintegrate
|
SSD
|
Overwrite
|
Secure Erase
Cryptographic Erase
|
Incinerate
Shred
Pulverize
Disintegrate
|
3
|
Optical Disks
|
CD/DVDs
|
NA
|
NA
|
Disk Grinder
Incinerate
Optical Disk Shredder
Optical Disk Disintegrator
|
4
|
Hard Copy Media
|
Paper, Microfilm
|
NA
|
NA
|
Burning
Shredding
|
* Degaussing is not an appropriate method for SSD
Note: To know more about the above Media Sanitization techniques such as Overwriting, Cryptographic Erase, Shredding, etc., refer to the Knowledge Series article: Data Destruction Methods and Techniques.
IRS states that verification of the sanitized media is an essential step to ensure proper sanitization. Section 2.F.3 of Publication 1075 recommends representative sampling of sanitized media by testing every third piece. It further requires that an agency employee witness or verify the sanitization.
Media Sanitization Records: FTI Disposal Logs
FTI sanitization records must be maintained for all sanitized media, and they should contain, but not be limited to, the following information:
- Type of media sanitized
- Time of sanitization
- No. of media sanitized
- Method of sanitization
- Verification
- Final Disposition
For media stored at outsourced data centers, the Service-Level Agreement (SLA) must have a provision for verification that must be delivered to the agency post-sanitization. Publication 1075 recordkeeping requirements also mandate agencies to maintain FTI disposal logs, which must be reported annually in the Safeguard Security Report (SSR). Under the media sanitization guidelines, the IRS recommends following NIST SP 800-88 Media Sanitization Guidelines, including adherence to the Certificate of Destruction.
Therefore, federal, state, and local agencies must employ a media sanitization solution that can sanitize all types of drives and devices using NIST 800-88 approved sanitization methods and generate Media Sanitization Records with the required information.
BitRaser: Ideal Solution for FTI Media Sanitization to Stay Compliant
Compliance with IRS Media Sanitization Guidelines is necessary for securely disposing of federal tax information. BitRaser Drive Eraser is an ideal data-wiping solution that has been tested, certified, and approved by NIST, DHS, and Common Criteria. The software can securely erase FTI from SSDs, HDDs, NVMe, SATA, PATA drives, and devices like laptops, desktops, Mac devices, etc. It generates tamper-proof reports & certificates of erasure that contain all the required information as prescribed by the IRS.
Federal, state, and local authorities can leverage BitRaser's data-wiping capabilities to sanitize FTI Media and stay compliant with Federal Tax Information Compliance.