What is the DoD Standard?
The phrase "DoD standard," which refers to DoD 5220.22-M, is commonly used in the data sanitization business. But what does this "standard" imply for companies, governments, ITADs, and vendors of data sanitization solutions?
The most straightforward approaches for successfully erasing previously recorded data replace challenging disk drive storage regions with the same data everywhere—often utilizing an all-zero pattern. The DoD "standard" and others like it take overwriting to the next level requiring predefined random overwriting processes. Finally, such apps will prevent the data from being recovered using traditional data recovery procedures.
A Brief History of the Standard
The DoD 5220.22-M data erasure method initially debuted in the data sanitization sector in the early days. The National Industrial Security Program Operating Manual (commonly known as "NISPOM," or Department of Defense document #5220.22-M) released by the United States Department of Defense (DoD) described a procedure of overwriting hard disk drives (HDDs) with patterns of ones and zeros. Three secure overwriting passes were necessary, including verification after the last pass. This was before the introduction of cellphones and the widespread adoption of flash-based storage technology in 1995.
Erasing an HDD using the DoD 5220.22-M data sanitization technique prevents all software-based and hardware-based file recovery methods from retrieving essential data from the disk.
A DoD letter issued in 2001 defined further overwriting and verification procedures, which became recognized as part of the "standard." The DoD 5220.22-M ECE technique is a seven-pass variation of the DoD 5220.22-M method. It executes the DoD 5220.22-M twice, with an additional pass (DoD 5220.22-M (C) Standard) in between.
However, the most recent version of the DoD 5220.22-M "standard," which was updated in 2006, no longer defines an overwriting procedure for wiping hard drives, while the three-pass approach is still accepted practice when used.
In reality, the DoD NISPOM 5220.22M has undergone several minor alterations, with the most current versions reflecting changes as recently as 2016. The DOD 5220.22-M document 1) does not provide a technique of digital sanitization and 2) defers sanitization procedures to other federal institutions (Cognizant Security Agencies, or CSAs).
The DoD 5220.22-M sanitization technique is one of the most often used sanitization methods in data destruction standards, and it is still regarded as an industry-standard in the United States. Like Blancco Drive Eraser, most data sanitization software supports many data sanitization techniques, including DoD 5220.22-M. However, this DoD approach is now less successful in most circumstances, requires more resources, and is less inexpensive than contemporary standards. Therefore it is no longer recommended practice even at government agencies.
The Truth Behind DoD 5220.22-M Sanitization Method
DoD 522.22-M is still widely accessible as a data wiping option today, although it has been surpassed by other data sanitization standards such as those from the National Institute of Standards and Technology: Clear NIST 800-88 and Purge NIST 800-88 (For additional information, see "Data Sanitization in the Modern Age: DoD or NIST?" in our best practice download.)
There are several reasons for this, some of which may persuade you to choose an alternative data wiping standard for total data erasure:
DoD 5220.22-M methods are challenging to apply to solid-state drives (SSDs), which present unique challenges in erasing recorded data entirely and permanently.
The DoD no longer refers to DoD 5220.22-M as a mechanism for secure HDD erasure.
DSS, the Department of Defense agency in charge of administering and implementing the defense portion of the National Industrial Security Program (NISP), including the NISPOM, recently updated its "Assessment and Authorization Process Manual (DAAPM)" for federal contractors, which became effective on May 6, 2019. The media sanitization guidelines section of the paper identifies NIST SP 800-88 as the critical media sanitization guideline (pp 46, 130-31).
Similarly, laws and certification processes (particularly in the federal sector) now refer to NIST SP 800-88 media erasure recommendations rather than the DoD "standard."
The NISPOM does not establish any official standard for data sanitization in the United States. Instead, the Cognizant Security Authority (CSA), a restricted collection of United States federal entities, is authorized to set sanitization criteria.
The CSA is in charge of data sanitization requirements for their agencies and those under its jurisdiction. However, the DoD 5220.22-M technique is no longer approved for usage by various CSA members.
It is not always essential to perform many overwrite passes. Because of technology advancements since the DoD 5220.22-M approach was initially published, one overwrite token is frequently adequate, decreasing the time and energy resources required for successful data sanitization.
The DoD demands a mix of erasing, degaussing, and physical destruction for its private data.
In the 1995 version of the National Industrial Security Program Operating Manual (DoD 5220.22-M), the three-pass sanitization clause was eliminated in the previously stated 2001 memo. The three-pass procedure was never allowed for Top Secret material.
"DoD-approved" statements are deceptive, even if completing the overwriting process indicated by the DoD "standard" is doable.
In the IT asset disposal (ITAD) arena, operators and clients frequently mention "DoD certification," yet no such certification exists. The US Department of Defense, on the other hand, follows the NIST 800-88 Guidelines for Media Sanitization. However, this is only a recommendation, not a certification (for more information on the significance of both data erasure certifications and third-party validations, see "Why are Data Erasure Certifications and 3rd Party Validations So Important?").