Department Of Defense (DoD) Media Sanitization Guidelines 5220.22M
Data Erase/Wiping services
Department Of Defense (DoD) Media Sanitization Guidelines 5220.22M
Key Points
- The U.S. Department of Defense no longer references DoD 5220.22- M as a method for secure HDD erasure
- Regulations and certification programs now cite NIST SP 800-88 media erasure guidelines
- Multiple overwrite passes can waste time and money
- “Approved by DoD” claims are misleading
- Independent data erasure verification has moved to the forefront of certified compliance oversight
The DoD 5220.22-M standard for erasing or wiping data from a hard drive emerged early on in the evolving electronic data destruction business. A classic case of echo chamber knowledge distribution, the de facto adaption of this process was more of a marketing phenomenon than it was the result of any official policy supported by the Department of Defense.
DoD 5220.22-M specifies a process that overwrites data on a hard drive with random patterns of ones and zeros. The fact that the DoD 5220.22-M protocol required three overwriting passes made it seem all the more secure, as did the implied Department of Defense imprimatur. At some point, this pseudo standard took on a life of its own as third-party computer recycling and refurbishing companies, IT asset disposition (ITAD) firms and other types of organizations asserted DoD compliance on websites and marketing collateral.
DoD 5220.22-M was never approved by the Department of Defense for civilian media sanitization, and even more importantly, the DoD never intended for it to be a standard for classified data. The DoD is not in the business of certifying data destruction standards and has no mechanism for policing any given company’s procedures. For its own classified data, the DoD requires a combination of wiping, degaussing and/or physical destruction.
Over the past several years, the National Institute for Standards and Technology’s (NIST) Special Publication 800-88: Guidelines for Media Sanitization has become the real world reference for data erasure compliance. Originally issued in 2006 and revised in 2012, SP 800-88 spells out preferred methodologies for wiping hard drives and other media under Minimum Sanitization Recommendations in Appendix A (see our summary of this document here). These methods include both over-writing and Secure Erase, a protocol built into the hard drive. This document has replaced the DoD standard in terms of regulatory and certification practice, and yet DoD 5220.22-M continues to hang on in marketing statements.
The intent of the NIST document is to provide meaningful guidelines for sanitizing electronic media. The document does not provide requirements, standards or specifications. In actual practice, most commercial data wiping software and hardware products reliably deliver the technology to erase hard drives beyond the possibility of reasonable forensic recovery and to comply with mainstream certification programs. In terms of performance, the differentiators among such products are about price, processing speed, scale and auditing capabilities. But it would be surprising to see any modern data wipe product invoke DoD 5220.22-M because the multiple overwrite passes it specifies involve unnecessary energy use, time and cost.