R2 Guidance & Knowledge Base
Difference between “Core 7-Data Security” vs. “Appendix B-Data Sanitization” requirements
(REVISED 10/25/2021 with further clarification added):
Q. What is the difference between the “Core 7-Data Security” and “Appendix B-Data Sanitization” requirements?
Not all R2 Facilities will be qualified or equipped to perform data sanitization, however, all R2 Facilities are responsible for properly securing data devices, planning for their sanitization and directing them accordingly.
Core Requirement 7 (a), requires that all R2 facilities develop a Data Sanitization Plan and define the types of devices they manage and the data that needs to be sanitized, as well as the methods for sanitization of each device. Each R2 Facility must also implement appropriate physical and administrative controls to secure data devices and protect data from any unintended access.
Appendix B-Data Sanitization requirements go beyond Core 7 and includes additional requirements for logical data sanitization, enhanced security and device tracking. Facilities that are certified to Appendix B can be certified for physical sanitization, logical sanitization or both.
R2v3 allows for three pathways for data sanitization:
-
- PHYSICAL SANITIZATION in accordance to Core 7(c)(2)(B) describes the physical destruction process according to NIST800-88 methods and calls for verification of the effectiveness of the method used. Appendix B(7-9) also describes the required physical destruction process, but goes further by specifying the methods to be used in B(7); the need for adherence to customer requests for additional conditions in B(8); and mandatory video recordings of the process in B(9).
- PHYSICAL and/or LOGICAL SANITIZATION in accordance with Appendix B-Data Sanitization
Appendix B – Data sanitization requirements go beyond Core 7 and include additional requirements for logical and physical data sanitization, enhanced security and device tracking. Facilities that are certified to Appendix B may be certified for physical sanitization, logical sanitization or both. Important points to note about Appendix B:- Any R2v3 facility that performs LOGICAL SANITIZATION MUST be certified to Appendix B.
- When an R2 facility is certified to Appendix B their entire data security and data sanitization process is upgraded beyond the basic requirements of Core 7.
- Items intended for processing under Appendix B must meet all requirements of the appendix, so where items cannot be logically sanitized they must be directed to a qualified Appendix B PHYSICAL SANITIZATION process.
- SANITIZATION BY A QUALIFIED DOWNSTREAM VENDOR in accordance to Appendix A-Downstream Recycling Chain
Data sanitization may be performed by an R2v3 DSV that is certified to Appendix B for physical and/or logical sanitization, or a Non-R2 DSV that is qualified under Appendix A (8)(d).
To summarize: Data security requirements apply to all R2 facilities regardless of their scope of operations. And, there are several pathways that can be followed to sanitize devices, either by the R2 Facility or a qualified DSV. To determine the appropriate data sanitization process, it is important to know what the customer/supplier requires or expects in terms of sanitization, and also the process that has been communicated to them under Core 7.(c)(1)(B).
(ADDED 10/15/2021):
Q. If a facility is certified to Appendix B, can it follow Appendix B requirements for logical sanitization, and follow only CORE 7 requirements for all physical destruction processes?
No. If a company is certified to Appendix B, the requirements of Appendix B apply to all data bearing devices under the control of the R2 facility. The facility cannot follow the more lenient requirements of Core 7 for their physical destruction process.
