The term “DoD standard” is widely used throughout the data sanitization industry. It refers to DoD 5220.22-M, a standard for sanitizing data from hard drives. While basic data sanitization processes involve overwriting hard disk storage areas with the same data (a pattern of zeros), the DoD standard takes the process a step further with prescribed random overwriting methods. As a result, the process prevents data from being retrieved through standard recovery methods. Although the DoD process continues to be requested by businesses seeking hard drive sanitization, it is no longer the industry standard. Here’s what you should know.
Why the DoD Standard Is Obsolete
The earliest version of DoD 5220.22-M was developed in the 1990s, when data sanitization was still new. In its first publication, the standard called for overwriting hard disk drives with patterns of ones and zeros.
The process is typically implemented in a three-pass method, which entails:
- Overwriting all addressable locations with binary zeros.
- Overwriting all addressable locations with binary ones.
- Overwriting all locations with a random bit pattern.
Finally, verification is performed to ensure the final overwrite pass was successful. This method will prevent software- and hardware-based recovering methods from retrieving data from hard drives.
In 2001, additional overwriting and verification methods were added, so that the original three steps are performed twice and an extra pass is added in between for a total of seven steps. Nonetheless, the three-pass method still remains a commonly used data sanitization method across the U.S. Yet, the latest DoD standards still haven’t been revised to reflect updated overwriting patterns for erasing hard drives, so the industry has shifted to a newer method.
The Problems With Outdated Data Wiping
While DoD standards in general are highly esteemed, DoD 5220.22-M in particular is more resource intensive and less effective than other, newer methods. More importantly, the DoD standard isn’t compatible with newer technology.
In the DoD wiping process, codes of ones and zeros are physically scratched into hard drives. With solid state drives (SSDs) commonly found in most newer devices, digital data is stored on integrated circuits. DoD erasure won’t work on this type of storage, but the erasure standards from the National Institute for Standards and Technology, NIST 800-88 Clear and NIST 800-88 Purge, will.
NIST: The New Gold Standard
In addition to working for both SSDs and traditional hard drives, the NIST standard is preferred for several reasons. For one, in recent updates from the DoD, standard 5220.22-M is no longer mentioned as a secure form of hard disk erasure. The DoD employs a different technique for destroying its own classified data, calling for multiple approaches such as wiping and physical destruction. Moreover, regulations and certification programs (even within the government) now cite the NIST standards within their erasure guidelines, instead of DoD 5220.22-M.
Many companies requiring data erasure still request the DoD standard due to the fact that they may be referencing outdated requirements written by legal departments or risk management teams. This presents a good opportunity to connect with IT teams to refresh any language and policies to align with modernized and more effective data wiping practices.
In our ongoing commitment to industry-leading practices, Quantum uses Blancco data erasure, which conforms with the latest NIST standards. Find out more about our data wiping and destruction protocols here.