DoD 5220.22-M Standard for Drive Erasure
There are numerous standards defined over the past several decades to govern data wiping and other data destruction techniques for safe and compliant media sanitization practices. For data erasure, these standards determine the overwriting patterns and passes set by government agencies and private institutions across the world. For E.g., the U.S. Department of Defense (DoD), the U.S. Navy, and the U.S. Air Force have their data erasure standards. Other examples include New Zealand Government's Community security bureau (NZSIT), the British HMG (Her Majesty's Government) Infosec standard, etc.
This article provides insight into the U.S. Department of Defense (DoD) 5220.22-M standard for drive erasure. It also deep dives into the steps involved in the US DoD data wipe standard for wiping hard drives. Finally, it gives you an overview of how to implement the standard for erasing hard drives at an industrial scale using DoD data-wiping software.
What is the DoD 5220.22-M Standard?
DoD 5220.22-M Standard is a widely recognized method for data erasure used by government agencies and organizations worldwide for performing drive erasure. In the media sanitization circles, it is known as the US DoD data wipe standard. The standard involves overwriting the previously stored data on a hard drive with specific binary patterns repeatedly through a specific number of passes.
The DoD method is based on overwriting the addressable memory locations in hard disk drives with 'zeroes' and 'ones' as binary patterns. The standard defines the implementation of three secure overwriting passes with verification at the end of the final pass.
The following passes constitute the US DoD data wipe standard:
Pass 1: All addressable locations are overwritten with binary zeroes
Pass 2: All addressable locations are overwritten with binary ones
Pass 3: All addressable locations are overwritten with a random bit pattern
The final overwrite pass is then verified.
In 2001, DoD published the DoD 5220.22-M ECE method, a 7-pass version of the original standard. It runs DoD 5220.22-M twice and an extra pass (DoD 5220.22-M (C) Standard) in between.
Pass 1: All addressable locations are overwritten with binary zeroes
Pass 2: All addressable locations are overwritten with binary ones (the compliment of the above)
Pass 3: All addressable locations are overwritten with a random bit pattern
Pass 4: All addressable locations are overwritten with binary zeroes
Pass 5: All addressable locations are overwritten with binary zeroes
Pass 6: All addressable locations are overwritten with binary ones (the compliment of the above)
Pass 7: All addressable locations are overwritten with a random bit pattern
Verify the final overwrite pass.
Despite the upgrades, the three-pass method is still the standard implementation for DoD-level data wiping.
Origins of the US Department of Defense (DoD) Data Erasure Algorithm
The Department of Defense (DoD) standard was developed in 1995 for high-security institutions like Pentagon etc. At the time of its launch, the standard had set a benchmark for data wiping and hardware disposal with its DoD Information Assurance Certification and Accreditation Process (DIACAP).
The DoD 5220.22 standard was published by the U.S. Department of Defense (DoD) in the National Industrial Security Program Operating Manual (also known as NISPOM or Department of Defense document #5220.22-M).
Why use the DoD 5220.22-M Standard?
The DoD data wipe algorithm provides one of the most recognized data destruction methods, and it is still perceived as one of the industry standards for hard drive erasure in the U.S. If you have a high-capacity hard drive or there are a lot of storage drives in your inventory, DoD 5220.22-M data wipe method will take less time than other more comprehensive data erasure methods like the Gutmann standard that involves 30 passes.
Further, the DoD 5220.22 M data wipe standard performs verification at the end of each pass. This ensures that the data is duly overwritten. In addition to zeroes and ones, DoD 5220.22 M uses random characters to overwrite the storage locations in a hard drive. The inclusion of random characters reduces the probability of data recovery.
According, to Defense Security Service (DSS) Assessment and Authorization Process Manual (DAAPM) Version 1.3 released on June 4, 2018, the Media Sanitization Matrix outlines appropriate methods to be used for Destroying Media as per the media type. The table below shows the approved method for sanitizing different media types:
Note: Destruction of the media is an approved Sanitize method for all media types mentioned below, except for Equipment (Monitor, Impact Printer & Laser Printer). Destruction is only mentioned specifically where it is the sole method of 'Sanitize'.
The Order column is only applicable when a combination of two procedures is required to sanitize the media.
Clearing and Sanitization Matrix *
Media | Clear | Sanitize | Order |
Magnetic Tape |
Type I | Degauss | Degauss | - |
Type II | Degauss | Degauss | - |
Type III | Degauss | Degauss | - |
Magnetic Disk |
Bernoulli | Degauss or Overwrite | Degauss | - |
Floppy | Degauss or Overwrite | Degauss | - |
Non-Removable Rigid Disk | Overwrite or Degauss | Pattern Overwrite | - |
Removable Rigid Disk | Degauss or Overwrite | Pattern Overwrite | - |
Optical Disk |
Read Many, Write Many | Pattern Overwrite | - | - |
Read Only | - | Destroy if classified information is present | - |
Write Once, Read Many (WORM) | - | Destroy if classified information is present | - |
Memory |
DRAM | Overwrite or Remove Power | Overwrite or Remove Power | - |
EAPROM | Chip Erase | Chip Overwrite | - |
EEAPROM | Chip Erase | Random Overwrite | - |
EPROM | UV Erase | Triple UV Erase and Overwrite | Triple UV Erase followed by Overwrite |
FEPROM | Chip Erase | Chip Erase and Overwrite | Chip Erase followed by Overwrite |
PROM | Overwrite | - | - |
Magnetic Bubble Memory | Overwrite or Degauss | Overwrite | - |
Magnetic Core Memory | Overwrite or Degauss | Pattern Overwrite | - |
Magnetic Plated Wire | Overwrite | Overwrite and Long Overwrite | Overwrite and Long Overwrite |
Magnetic Resistive Memory | Overwrite | - | - |
NOVRAM | Overwrite | Overwrite | - |
ROM | - | Destroy | - |
SDRAM | Overwrite or Remove Power | Overwrite or Remove Power | - |
SRAM | Overwrite or Remove Power | Overwrite or Remove Power | - |
Other Media |
Video Tape | - | Destroy | - |
Film | - | Destroy | - |
Equipment |
Monitor | Remove Power | Screen Destroy | - |
Impact Printer | Remove Power | Destroy Ribbons | Destroy Ribbons then Remove Power |
Laser Printer | Remove Power | Run Page | Run Page then Remove Power |
Note: We have abbreviated the sanitization methods for your easy understanding. Their actual meaning is given below per DAAPM Version 1.3:
- Degauss: Degauss media using a Type I, II, or III degausser.
- Overwrite: Overwrite each addressable location with a single character using an approved overwrite utility.
- Pattern Overwrite: It is for spills only, first overwrite with a pattern, followed by its complement, and then with another unclassified pattern. However, sanitization is considered to be complete only when three cycles are done. Verification of the sample is necessary. If during verification any part of the disk is found to be un-writable or inaccessible, then destroy or degauss the disk.
- Remove Power: Remove the power source including any connected batteries.
- Chip Erase: Perform a full chip erase as per the manufacturer's instructions.
- UV Erase: Perform an ultraviolet erase as per the manufacturer's recommendation.
- Chip Overwrite: Perform Chip Erase then perform Overwrite, a total of three times.
- Random Overwrite: Overwrite all locations first with a random pattern, followed by binary zeros, and then with binary ones using an approved overwrite utility.
- Triple UV Erase: Perform an ultraviolet erase as per the manufacturer's recommendation, increasing time by a factor of three.
- Long Overwrite: Each overwrite must reside in memory longer than the time classified data resided in it.
- Destroy Ribbons: Ribbons have to be destroyed and Platens have to be cleaned.
- Screen Destroy: Inspect and test the screen surface for evidence of burn-in information. If the information is present, then the screen must be destroyed.
- Run Page: Run 1 page (font test acceptable) when the print cycle is not completed (e.g., paper jam or power failure). Dispose of output as unclassified if visual examination does not reveal any classified information.
* According to the NISPOM official Manual, 'Page 122,' organizations are advised to refer to the NIST SP 800-88 Rev 1 Guidelines for Media Sanitization when making practical decisions regarding sanitization.
The document specifies, "In addition, NIST Special Publication 800-88, Guidelines for Media Sanitization, dated Sep 2006, can assist organizations and system owners in making practical sanitization decisions based on the level of confidentiality of their information, ensuring cost-effective security management of their IT resources, and mitigate the risk of unauthorized disclosure of information."
How to Implement DoD 5220.22-M Standard?
The information security policy of many federal, state, and private firms requires the implementation of the DoD 5220.22-M standard as part of their data erasure practice. You can implement the DoD 5220.22-M standard with the help of professional DoD data wipe software like BitRaser Drive Eraser that can implement DoD 5220.22-M and other global standards to help government bodies and private organizations attain regulatory compliance.
Limitation of the DoD 5220.22-M Standard Though the DoD data wiping standard was considered the benchmark standard for data destruction, for many years, it has been succeeded by other latest standards such as NIST SP 800-88. The main reason is the limitations of the DOD 5220.22M data wipe method concerning the erasure of flash memory-based storage. It was not designed to erase chip-based storage e.g. SSD. This is why many government organizations such as the Department of Defense, Nuclear regulatory commission, Department of Energy, Canadian standard association, etc. no longer cite DoD 5220.22 as a standard for secure erasure (or data destruction in the broader sense). |
Final Thoughts
DoD 5220.22 data wipe standard still carries a lot of credibility and is held in high esteem as it provides a robust 3-pass erasure that is detailed and efficient. Therefore, many institutions follow the DoD standard as a component of their hard drive erasure and disposition policy.
DoD-compliant data wipe software tools such as BitRaser Drive Eraser helps erase the hard drives as per the DoD standard and generate tamper-proof certificates and reports for audit trails.