DoD 5220.22-M vs. NIST 800-88: What's the Right Data Erasure Standard for Your Organisation?

When an organisation decides to professionally sanitise its IT assets, the conversation quickly turns to standards. Two acronyms frequently appear: DoD 5220.22-M and NIST 800-88. While both are used to ensure data is destroyed, they represent different philosophies and methodologies. Understanding this difference is key to choosing the right level of security for your data.

As specialists in this field, we believe in empowering our clients to make informed decisions. This article breaks down these two leading standards.

DoD 5220.22-M: The "Overwrite" Standard

The DoD 5220.22-M standard was published by the U.S. Department of Defense. It is a prescriptive, software-based method that details a specific process of overwriting data on a hard drive. The most common implementation is the "3-pass" method:

• Pass 1: Writes a character (e.g., a zero) across the entire drive.
• Pass 2: Writes the character's complement (e.g., a one).
• Pass 3: Writes random characters and verifies the write.

The philosophy here is brute force: by overwriting the storage locations multiple times, the original data becomes exceptionally difficult to recover with conventional tools. It is a highly effective and widely recognised standard for sanitising traditional magnetic hard disk drives (HDDs).

NIST 800-88: The "Process" Standard

The National Institute of Standards and Technology (NIST) Special Publication 800-88 offers a more modern and comprehensive framework. It is less about a single method and more about a risk-based process. It defines three methods for data sanitisation:

NIST 800-88 is often considered the current gold standard as it provides a framework for decision-making, rather than just a single, rigid procedure.

• Clear: This uses logical techniques to sanitise data, like overwriting data once. It is suitable for protecting data from simple recovery tools.
• Purge: This uses more advanced techniques, like multi-pass overwriting (similar to the DoD standard), cryptographic erasure, or degaussing, to protect data from laboratory-level recovery attacks.
• Destroy: This is the final step, involving the physical destruction of the media through shredding, crushing, or incineration. It is recommended for the most sensitive data and for media that cannot be effectively purged.

Which Standard is Right for You?

The choice depends on your organisation's risk appetite and the type of data and hardware involved.

• For most corporate data on standard HDDs, the DoD 5220.22-M 3-pass method is a robust, well-understood, and highly defensible standard that provides excellent security.
• For modern Solid State Drives (SSDs), a NIST 800-88 approach is often superior. The 'Purge' method via Cryptographic Erase (CE), where the drive's internal encryption key is wiped, can be faster and more effective for SSDs than overwriting.
• For the highest level of security or for failed media, the NIST 'Destroy' method is the only 100% certain solution.

At Sovereign Data Defence, our professional equipment and expertise allow us to implement the correct standard for your specific needs. We perform multi-pass overwrites aligned with DoD and NIST Purge principles, and our included on-site physical destruction service directly implements the NIST Destroy standard for ultimate assurance.