How Does NAID AAA Certification Intersect With NIST 800-88? (Part 1)
March 11, 2021
This blog will be presented in two-parts. In this first installment, I will provide a perspective on the relative differences in NAID AAA Certification and NIST 800-88 and its overlap with physical media destruction requirements. In the next installment, I will do the same on the implications for electronic media erasure.
I assume most readers already know NAID AAA Certification is far and away the most widely recognized and adopted third-party verification of data destruction service providers’ regulatory compliance and security, updated as necessary, dependent on data regulations changes around the world.
Most readers will also have some knowledge of the NIST 800-88 Guidelines for Media Sanitization, issued by the National Institute of Standards and Technology, and last updated in 2014.
Whereas NIST 800-88, in its own words, is meant to “assist organizations and system owners in making practical sanitization decisions based on the categorization of confidentiality of their information,” NAID AAA Certification “verifies data destruction service providers’ compliance with data protection regulations and security requirements.”
These missions are very different.
The only reference in NIST 800-88 to service provider qualifications is the statement lifted verbatim from the FACTA Final Disposal Rule, which the FTC, in consultation with NAID, wrote more than 15 years ago:
Organizations can outsource media sanitization and Destruction if business and security management decide that this would be the most reasonable option for them to maintain confidentiality while optimizing available resources. When exercising this option, this guide recommends that organizations exercise “due diligence” when entering into a contract with another party engaged in media sanitization. Due diligence for this case is accepted as outlined in 16 CFR 682 which states “due diligence could include reviewing an independent audit of the disposal company’s operations and/or its compliance with this rule [guide], obtaining information about the disposal company from several references or other reliable sources, requiring that the disposal company be certified by a recognized trade association or similar third party, reviewing and evaluating the disposal company’s information security policies or procedures, or taking other appropriate measures to determine the competency and integrity of the potential disposal company.’
The title of this blog is a question, but it is not the most common question I get about the relationship between NAID AAA Certification and NIST 800-88. That question is more direct. It is “Does NAID AAA Certification verify service providers’ compliance with NIST 800-88?”
Unfortunately, it is a mistake and disservice to the questioner to answer that question without them understanding the issues.
In my last blog, I discussed how the context of any such question is needed before providing a relevant and meaningful answer.
Assuming the client (who is usually asking the question) is going to make a decision based on the answer, we first need to know if the question is relevant. Are they talking about electronic media erasure or physical media destruction? Are they asking because they have to meet a specification or because they just happened to come across a reference? Are they aware no data protection regulation on the planet requires NIST 800-88 compliance, or that NIST 800-88 has no third-party audit methodology built into it? (BTW – This is not a fault of NIST 800-88. It simply stems from the nature of what it is – guidance.)
Service providers familiar with NIST 800-88 already know it’s guidance on physical destruction particle size is quite small. But image you were developing a particle size requirement where you had no control over the process. You don’t have the luxury of dictating who is performing the destruction or how it will be discarded afterward. Of course, you would make the particle size very small. It better be small if it’s going in the dumpster. They don’t have the benefit of dictating, like NAID AAA Certification does, that employees are screened and trained, that access is restricted, and destroyed remains are controlled. The NIST professionals – who take the job very seriously and are eminently qualified – do have the luxury or burden about the cost of the requirement. The point is they have every reason to go to the smallest particle size. It is not a fault.
On the other hand, a client who mistakenly believes they are required to meet that particle size may unnecessarily spend ten times what they might if they knew the facts.
I have written before about a large government agency who was on the verge of requiring the NIST 800-88 physical destruction particle sizes. It was going to cost them millions of dollars per year. But, once they were fully informed, they were able to avoid that expense… precisely because it was unnecessary.
I personally have no issue with a client deciding to go with such a small particle size as long as they are making an informed decision. In fact, when they do, they can still require NAID AAA Certification in order to benefit from all the other regulatory compliance and security it verifies.
The issues between NAID AAA Media Erasure Certification vary somewhat, given that it is predicated on the veracity of quality control and blind third-party forensics. As a teaser, I will note that NAID AAA’s requirement to have separate technicians and systems for internal quality control that were included from the beginning in 2008, were not included in NIST 800-88 earlier iterations, and only appeared there in the 2014 update.