Keysight M9037A Security Manual

Security
Guide

Keysight M9037A PXIe
Embedded Controller

Notices

© Keysight Technologies, Inc. 2014

No part of this manual may be repro­duced in any form or by any means
(including electronic storage and retrieval
or translation into a foreign language)
without prior agreement and written con­sent from Keysight Technologies, Inc. as
governed by United States and interna­tional copyright laws.

Manual Part Number

M9037-90020

Edition

Third Edition, September 2014
Printed in Malaysia

Keysight Technologies, Inc.
1400 Fountaingrove Parkway
Santa Rosa, CA 95403 USA

Trademarks

AXIe is a registered trademark of the AXIe
Consortium.

PXI is a registered trademark of the PXI
Systems Alliance.

®

PICMG
AdvancedTCA
marks of the PCI Industrial Computer
Manufacturers Group.

PCI-SIG
registered trademarks of PCI-SIG.

, Compact PCI®, and

®

are registered trade-

®

, PCI Express®, and PCIe

®

are

Sales and Technical Support

To contact Keysight for sales and techni­cal support, refer to the support links on
the following Keysight websites:

www.keysight.com/find/M9037A (prod-

uct-specific information and support,
software and documentation updates)

www.keysight.com/find/assist (world-

wide contact information for repair and
service)

Information on preventing damage to
your Keysight equipment can be found at

www.keysight.com/find/tips.

Declaration of Conformity

Declarations of Conformity for this prod­uct and for other Keysight products may
be downloaded from the Web. Go to

http://keysight.com/go/conformity and

click on “Declarations of Conformity.” You
can then search by product number to
find the latest Declaration of Conformity.

T

echnology Licenses

The hard ware and/or software described
in this document are furnished under a
license and may be used or copied only in
accordance with the terms of such
license.

Warranty

THE MATERIAL CONTAINED IN THIS
DOCUMENT IS PROVIDED “AS IS,” AND
IS SUBJECT TO BEING CHANGED,
WITHOUT NOTICE, IN FUTURE EDI­TIONS. FURTHER, TO THE MAXIMUM
EXTENT PERMITTED BY APPLICABLE
LAW, KEYSIGHT DISCLAIMS ALL WAR­RANTIES, EITHER EXPRESS OR IMPLIED,
WITH REGARD TO THIS MANUAL AND
ANY INFORMATION CONTAINED
HEREIN, INCLUDING BUT NOT LIMITED
TO THE IMPLIED WARRANTIES OF MER­CHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE. KEYSIGHT
SHALL NOT BE LIABLE FOR ERRORS OR
FOR INCIDENTAL OR CONSEQUENTIAL
DAMAGES IN CONNECTION WITH THE
FURNISHING, USE, OR PERFORMANCE
OF THIS DOCUMENT OR OF ANY INFOR­MATION CONTAINED HEREIN. SHOULD
KEYSIGHT AND THE USER HAVE A SEP­ARATE WRITTEN AGREEMENT WITH
WARRANTY TERMS COVERING THE
MATERIAL IN THIS DOCUMENT THAT
CONFLICT WITH THESE TERMS, THE
WARRANTY TERMS IN THE SEPARATE
AGREEMENT SHALL CONTROL.

Keysight Technologies does not warrant
third-party system-level (combination of
chassis, controllers, modules, etc.) per­formance, safety, or regulatory compli­ance unless specifically stated.

DFARS/Restricted Rights
Notices

If software is for use in the performance
of a U.S. Government prime contract or
subcontract, Software is delivered and
licensed as “Commercial computer soft­ware” as defined in DFAR 252.227-7014
(June 1995), or as a “commercial item” as
defined in FAR 2.101(a) or as “Restricted
computer software” as defined in FAR

52.227-19 (June 1987) or any equivalent
agency regulation or contract clause.
Use, duplication or disclosure of Software
is subject to Keysight Technologies’ stan­dard commercial license terms, and non­DOD Departments and Agencies of the
U.S. Government will receive no greater
than Restricted Rights as defined in FAR

52.227-19(c)(1-2) (June 1987). U.S. Gov­ernment users will receive no greater
than Limited Rights as defined in FAR

52.227-14 (June 1987) or DFAR 252.227­7015 (b)(2) (November 1995), as applica­ble in any technical data.

Safety Information

The following general safety precau­tions must be observed during all
phases of operation of this instrument.
Failure to comply with these precau­tions or with specific warnings or oper­ating instructions in the product
manuals violates safety standards of
design, manufacture, and intended use
of the instrument. Keysight Technolo­gies assumes no liability for the cus­tomer's failure to comply with these
requirements.

General

Do not use this product in any manner not
specified by the manufacturer. The protec­tive features of this product must not be
impaired if it is used in a manner specified in
the operation instructions.

Before Applying Power

Verify that all safety precautions are taken.
Make all connections to the unit before
applying power. Note the external markings
described under “Safety Symbols”.

Ground the Instrument

Keysight chassis’ are provided with a
grounding-type power plug. The
instrument chassis and cover must be
connected to an electrical ground to
minimize shock hazard. The ground pin
must be firmly connected to an electri­cal ground (safety ground) terminal at
the power outlet. Any interruption of
the protective (grounding) conductor
or disconnection of the protective
earth terminal will cause a potential
shock hazard that could result in per­sonal injury.

Do Not Operate in an Explosive
Atmosphere

Do not operate the module/chassis in
the presence of flammable gases or
fumes.

Do Not Operate Near Flammable
Liquids

Do not operate the module/chassis in
the presence of flammable liquids or
near containers of such liquids.

Cleaning

Clean the outside of the Keysight mod­ule/chassis with a soft, lint-free,
slightly dampened cloth. Do not use
detergent or chemical solvents.

Do Not Remove Instrument Cover

Only qualified, service-trained person­nel who are aware of the hazards
involved should remove instrument
covers. Always disconnect the power
cable and any external circuits before
removing the instrument cover.

Keep away from live circuits

Operating personnel must not remove
equipment covers or shields. Proce­dures involving the removal of covers
and shields are for use by service­trained personnel only. Under certain
conditions, dangerous voltages may
exist even with the equipment
switched off. To avoid dangerous elec­trical shock, DO NOT perform proce­dures involving cover or shield removal
unless you are qualified to do so.

DO NOT operate damaged
equipment

Whenever it is possible that the safety
protection features built into this prod­uct have been impaired, either through
physical damage, excessive moisture,
or any other reason, REMOVE POWER
and do not use the product until safe
operation can be verified by service­trained personnel. If necessary, return
the product to an Keysight Technolo­gies Sales and Service Office for ser­vice and repair to ensure the safety
features are maintained.

DO NOT block the primary
disconnect

The primary disconnect device is the
appliance connector/power cord when
a chassis used by itself, but when
installed into a rack or system the dis­connect may be impaired and must be
considered part of the installation.

Do Not Modify the Instrument

Do not install substitute parts or per­form any unauthorized modification to
the product. Return the product to an
Keysight Sales and Service Office to
ensure that safety features are main­tained.

In Case of Damage

Instruments that appear damaged or
defective should be made inoperative
and secured against unintended oper­ation until they can be repaired by
qualified service personnel

Do NOT block vents and fan exhaust:
To ensure adequate cooling and venti­lation, leave a gap of at least 50mm
(2") around vent holes on both sides of
the chassis.

Do NOT operate with empty slots: To
ensure proper cooling and avoid dam­aging equipment, fill each empty slot
with an AXIe filler panel module.

Do NOT stack free-standing chassis:
Stacked chassis should be rack­mounted.

All modules are grounded through the
chassis: During installation, tighten
each module's retaining screws to
secure the module to the chassis and
to make the ground connection.

Operator is responsible to maintain
safe operating conditions. To ensure
safe operating conditions, modules
should not be operated beyond the full
temperature range specified in the
Environmental and physical specifica­tion. Exceeding safe operating condi­tions can result in shorter lifespan,
improper module performance and
user safety issues. When the modules
are in use and operation within the
specified full temperature range is not
maintained, module surface tempera­tures may exceed safe handling condi­tions which can cause discomfort or
burns if touched. In the event of a
module exceeding the full temperature
range, always allow the module to cool
before touching or removing modules
from the chassis.

iv

Safety Symbols

A CAUTION denotes a hazard. It
calls attention to an operating pro­cedure or practice, that, if not cor­rectly performed or adhered to
could result in damage to the
product or loss of important data.
Do not proceed beyond a CAUTION
notice until the indicated condi­tions are fully understood and met.

A WARNING denotes a hazard. It
calls attention to an operating pro­cedure or practice, that, if not cor­rectly performed or adhered to,
could result in personal injury or
death. Do not proceed beyond a
WARNING notice until the indi­cated conditions are fully under­stood and met.

Products display the following sym­bols:

Warning, risk of electric
shock

Refer to manual for addi­tional safety information.

Earth Ground.

Chassis Ground.

Alternating Current (AC).

Standby Power. Unit is not
completely disconnected
from AC mains when
switch is in standby.

Antistatic precautions
should be taken.

The CSA mark is a registered trade­mark of the Canadian Standards Asso­ciation and indicates compliance to
the standards laid out by them. Refer
to the product Declaration of Confor­mity for details.

Notice for European Community: This
product complies with the relevant
European legal Directives: EMC Direc­tive (2004/108/EC) and Low Voltage
Directive (2006/95/EC).

The Regulatory Compliance Mark
(RCM) mark is a registered trademark.
This signifies compliance with the Aus­tralia EMC Framework regulations
under the terms of the Radio Commu­nication Act of 1992.

ICES/NMB-001 indicates that this ISM
device complies with the Canadian
ICES-001.

This symbol represents the time period
during which no hazardous or toxic
substance elements are expected to
leak or deteriorate during normal use.
Forty years is the expected useful life
of this product.

South Korean Class A EMC Declara­tion. this equipment is Class A suitable
for professional use and is for use in
electromagnetic environments outside
of the home.

Waste Electrical and

Electronic
Equipment (WEEE)
Directive
2002/96/EC

This product complies with the WEEE
Directive (2002/96/EC) marking
requirement. The affixed product label
(see below) indicates that you must not
discard this electrical/electronic prod­uct in domestic household waste.

Product Category: With reference to
the equipment types in the WEEE
directive Annex 1, this product is clas­sified as a “Monitoring and Control
instrumentation” product.

Do not dispose in domestic household
waste.

To return unwanted products, contact
your local Keysight office, or see

www.keysight.com/environment/prod­uct for more information.

CAT I
CAT II
CAT III
CAT IV

For localized Safety Warnings, Refer
to Keysight Safety document (p/n
9320-6792).

IEC Measurement Cate­gory I, II, III, or IV

v

vi

Contents

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vi

Memory Declassification Procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Definitions: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Sales and Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Procedure for declassifying a controller . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Controller memory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

References . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Keysight M9037A PXIe Embedded Controller Security Guide v

vi Keysight M9037A PXIe Embedded Controller Security Guide

M9037A PXIe Embedded Controller
Security Guide

Memory Declassification Procedure

Some test equipment users have a need to “declassify” or “sanitize” their
instruments for security purposes. This involves following a procedure to clear all
user data from the instrument’s memory. The result is a sanitized instrument that
can be removed from a secure area without any chance of classified data being
recovered from it.

This document details the internal memory locations of the M9037A Embedded
Controller. It describes instrument security features and the steps necessary to
declassify the products through memory sanitization or removal. For additional
information on a particular product, the Keysight Instrument Security Database
may be accessed here: www.keysight.com/find/security.

For general information, the Keysight Aerospace and Defense web page may be
found here: www.keysight.com/find/ad.

Definitions:

Clearing - Clearing is the process of eradicating the data on media before
reusing the media so that the data can no longer be retrieved using the standard
interfaces on the instrument. Clearing is typically used when the instrument is to
remain in an environment with an acceptable level of protection.

Sanitization - Sanitization is the process of removing or eradicating stored data
so that the data cannot be recovered using any known technology. Instrument
sanitization is typically required when an instrument is moved from a secure to a
non-secure environment such as when it is returned to the factory for calibration.
Keysight memory sanitization procedures are designed for customers who need
to meet the requirements specified by the US Defense Security Service (DSS).
These requirements are outlined in the “Clearing and Sanitization Matrix” issued
by the Cognizant Security Agency (CSA) and referenced in National Industrial
Security Program Operating Manual (NISPOM) DoD 5220.22M ISL 01L-1 section
8-301.

Security erase - Security erase is a term that is used to refer to either the clearing
or sanitization features of Keysight instruments.

Instrument declassification - A term that refers to procedures that must be
undertaken before an instrument can be removed from a secure environment
such as is the case when the instrument is returned for calibration.
Declassification procedures will include memory sanitization and or memory
removal. Keysight declassification procedures are designed to meet the
requirements specified by the DSS NISPOM security document (DoD 5220.22M
chapter 8).

1

Sales and Technical Support

For product specific information and support, and to obtain the latest software
and documentation, refer to the following Keysight web resources:

www.keysight.com/find/M9037A (Embedded Controller)

Worldwide contact information for repair and service can be found at:

www.keysight.com/find/assist

Sales and Technical Support

2 Keysight M9037A PXIe Embedded Controller Security Guide

Procedure for declassifying a controller

Procedure for declassifying a controller

Even if the M9037A is not able to power on, it may be declassified by removing
the SSD (disk drive) from the controller. Follow the procedure in the M9037A
Service Guide.

For additional information, go to: http://www.keysight.com/find/security and
enter the model number of you controller (M9037A).

Controller memory

The following table lists the types of memory used in the M9037A controller. It
explains the memory size, how it is used, its location, volatility, and the
sanitization procedure.

Table 1. M9037A Memory (for declassification purposes)

Main memory
(RAM)
4GB or 8Gb Std. up
to 16 Gb.

Media Storage
240 GB SSD drive

Flash memory for
BIOS (Non-volatile
memory)

DDR2-533 memory No No Video RAM Controller Video

Yes No Windows Operating

System memory.
Data input from user,
operating system

Yes Yes Windows Operating

System boot device
and user files
including saved
programs, data,
settings, images, etc.

No Yes Contains default

BIOS settings for use
when booting the
controller. Contains
no user data.

Operating
system, user

Operating
System factory
installed. Other
data is
user-saved.

Programmed at
factory (or
during BIOS
upgrade).
Settings may be
toggled by user.

graphics only.

SSD Data Destruction Several commercially available software programs exist

to completely destroy all data on a data storage device such as the SSD. DoD

5220.22-M is a software based data sanitization method for total data
destruction. The DoD 5220.22-M sanitization method was originally defined by
the U.S. National Industrial Security Program (NISP) in the National Industrial
Security Program Operating Manual (NISPOM). The process involves overwriting
existing information on the SSD (or other data storage device). Typically, this
means writing a 0 (zero) to every addressable location on the device, verifying the
write, writing a 1 (one) to every addressable location and verifying the write, and
then writing a random character (in some cases writing a 97) to every

Motherboard Cycle power. This is

volatile memory.

Motherboard

Motherboard None.

Motherboard Cycle power. This is

Remove. See
instructions below.

volatile memory.

Keysight M9037A PXIe Embedded Controller Security Guide 3

Procedure for declassifying a controller

addressable location and verifying the write. Using a DoD 5220.22-M sanitization
(or a variant) prevents all software and hardware based data recovery methods
from obtaining information from the SSD.

SSD Removal Because it is virtually impossible to completely and selectively

erase all user data on a hard drive without also destroying the operating system,
the best method for maintaining security when the controller must be removed
from a secure area is to remove or replace the hard drive.

1 Power off the PXIe chassis. You do not need to remove the M9037A controller

from the chassis to replace the SSD drive.

2 Loosen the two thumb screws securing the cover to the controller’s front

panel.

3 Unseat the removable SSD with its mounting bracket from the connector and

pull straight out.

If the SSD is removed from the M9037A, do not attempt to power it
up. Always install the SSD before applying power to the M9037A. If
you do not, then the SATA selection is eliminated from the boot
option list. If the SSD is then reinstalled, then at boot the SATA
selection will no be the first option to boot from. The boot order
should be changed so that SATA is the first option.

For detailed information on removing the SSD, refer to the M9037A Service
Guide.

4 Keysight M9037A PXIe Embedded Controller Security Guide

References

References

For additional information, refer to:

- DOD 5220.22-M, “National Industrial Security Program Operating Manual
(NISPOM)”, United States Department of Defense. May be downloaded from
here: www.dss.mil/isp/fac_clear/download_nispom.html

- ODAA Process Guide for C&A of Classified Systems under NISPOM, Defense
Security Service. DSS-cleared industries may request a copy of this document
by following the instructions at: www.dss.mil/isp/odaa/request.html

Keysight M9037A PXIe Embedded Controller Security Guide 5

References

6 Keysight M9037A PXIe Embedded Controller Security Guide

Keysight M9037A PXIe Embedded Controller Security Guide 1

This information is subject to change
without notice
© Keysight Technologies, Inc. 2014
Edition 3 September 2014

*M9037-90020*

M9037-90020

www.keysight.com