At a time when cases of data breaches are rising, every organization is required to maintain data security and has a legal obligation to ensure that the sensitive customer information is permanently disposed of when it is no longer in use or when the IT assets reach their end of life. Emerging data protection laws across the globe are reinforcing the right of customers over their sensitive information, and businesses need to adopt robust data protection and data destruction policies to prevent leakage or unauthorized access.
With rapid technological evolution, today's professional data-wiping software have made it possible for businesses to seamlessly wipe their end-of-life data beyond the scope of recovery, rendering the device usable. These wiping programs are based on overwriting technology that overwrites the existing data with 0s and 1s to make it irretrievable. While there are several global erasure standards and algorithms that define the overwriting process, the two most widely used data erasure standards are NIST 800-88 and DoD 3 & 7 Pass, respectively. The former is a standard formulated by the National Institute for Standards and Technology (NIST), and the latter is propounded by the US Department of Defense (DOD). The DoD standard was introduced way back in 1995, whereas NIST is a more recent one introduced in 2006, revised in 2014, and accounts for more recent technological advancements that DoD lacks. We will discuss this in detail in the upcoming sections.
What is the DoD Standard for Data Erasure?
In our series of articles, we have already defined the DoD Erasure algorithm as DoD 5220.22 M, a standard published for the first time in the National Industrial Security Program Operating Manual (NISPOM) by the US Department of Defense (DoD) in the year 1995. The erasure method specifies overwriting the hard drive with three overwriting passes and verification at the end of the final pass. DoD 5220.22-M also addresses sanitizing data from other media devices like tapes. You may read our detailed article to know more about US DoD 5220.22 M and passes that constitute the erasure standard.
The DoD document went through critical updates in 2001, 2004, and 2006. In 2001, the standard was upgraded to the DoD 5220.22-M ECE method, which is popularly known as DoD 7 Pass. The new standard involves two DOD 3 Passes and an extra standard pass with binary zeros in between. With a minor update in 2004 and later in 2006, the DoD operating manual did not specify any recommended overwriting method and delegated the data sanitization decision to government oversight agencies such as the CSA (Cognizant Security Agencies). Interestingly, the latest NISPOM rule published in 2021 continues to remain silent on any specific erasure standard for data sanitization.
The Drawback of the DoD Standard (DoD 5220.22-M / ECE)
Being the industry’s most prevalent overwrite pattern for more than a decade, DoD 5220.22-M sanitization started to cause functional issues on flash media storage (SSD) which has been a preferred choice over hard drives. This standard was not created to address chip-based storage. The evolution of modern hard drives since 1995, the growth of mobile devices, and innovative storage technologies such as flash storage media (SSDs) have raised concerns about the efficacy of multiple overwriting cycles that was propounded in the DoD method. The need to overwrite data 3 to 7 times, as documented by NISP Operating Manual, became obsolete as modern hard drives are highly precise and use evolved writing technologies that eliminate the possibility of data being recovered after one overwriting pass. DoD Erasure standard moreover is resource-intensive, costly, and less effective than the modern erasure standard like NIST 800-88 that has emerged and replaced DoD 3 & 7 Pass as an effective alternative.
Truth Behind DoD Failure on SSD Drives
DoD 5220.22-M is not effective nor recommended for wiping SSD drives based on flash storage, primarily because SSDs rely on embedded processors & flash memory chips and not on magnetic strips. Flash storage allows data to be written and erased from a given location for a fixed number of times in their lifecycle, and overwriting on an SSD for 3 or 7 cycles (as per DoD Standard) can exhaust the overall lifespan of SSD. This is the reason why most government organizations including the Department of Defense, Nuclear Regulatory Commission (NRC), Department of Energy, Canadian standard association, and the like, no longer mention DoD 5220.22-M as a secure erasure method for media sanitization.
Technological Advances Lead to Focus on NIST 800-88
The NIST 800-88 data erasure standard as formulated by the National Institute of Standards and Technology in 2006 has emerged as the most sought-after and widely used data sanitization standard today. Government agencies, regulatory bodies, and certifying authorities now prefer NIST 800-88 for media sanitization over the DoD 5220.22 M for the below reasons:
- NIST 800-88 standard applies to vast storage devices like mobile devices, hard drives, SSDs, etc., unlike DoD 5220.22 M. It is a more recent and relevant standard.
- With technology advancements, one overwrite pass is sufficient and desirable (in the case of SSDs). This helps reduce data sanitization time along with cost and resources.
- NIST guidelines for media sanitization are comprehensive and offer detailed guidance basis media type for wiping, degaussing, and physical destruction, unlike the US DoD standard.
- Global payment card standards like PCI DSS, and International Standardization Organization’s ISO 27040 also recommend media sanitization techniques as laid by NIST 800-88 data erasure methods.
NIST 800-88- An Insight
NIST Special Publication was originally issued in 2006 and revised in December 2014 as NIST Special Publication 800-88, Revision 1: Guidelines for Media Sanitization. Appendix A of the NIST guideline specifies data sanitization for modern hard drives, evolving interfaces, magnetic & opal storage, and other storage devices. Apart from overwriting, the methods outline the ‘Secure Erase Unit command’ that is built into the hard drive and performs instantaneous wiping. The revised guidelines state that “For storage devices containing magnetic media, a single overwrite pass with a fixed pattern such as binary zeros typically hinders recovery of data even if state of the art laboratory techniques are applied to attempt to retrieve the data.” Media Sanitization Decision Matrix in Appendix A is very helpful for organizations looking for suitable methods for data destruction. NIST 800-88 specifies Clear, Purge, and Destroy as secure methods of media sanitization. You may also like to read a detailed explanation of the NIST 800-88 erasure standard in our article.
While NIST seems to be an exhaustive standard, however, it lacks defining roles and responsibilities within organizations for data sanitization.
NIST vs. DoD Data Erasure Standards: A Quick Comparison
The below DoD vs. NIST table aims to highlight major differences between the two most widely used standards of data erasure.
|
Parameters
|
DoD Standard
|
NIST Standard
|
|
First appearance
|
1995
|
2006
|
|
Latest Update
|
February 2006
|
December 2014.
|
|
Data Erasure Methods
|
3 to 7 Passes for overwriting
|
Clear, Purge, and Destroy
|
|
Efficiency
|
Less Effective and inefficient for SSDs
|
Effective for vast storage types
|
|
Verifiable Erasure
|
Yes (Only Hard Drives)
|
Yes (verification and certification both)
|
|
Cost involved
|
Higher as 3 to 7 passes are needed
|
Lower as 1 write pass is enough
|
Which Data Erasure Standard is the Best for You?
We have read so far that the latest version of the NISPOM (DoD 5220.22-M) rule also does not mention DoD 3 & 7 Pass as a recommended data erasure method. Evolving hard drive technology and widespread use of flash-based drives such as SSDs have led organizations to move away from using the DoD 5220.22-M for wiping their data to NIST 800-88. However, DoD still remains relevant for some organizations due to their information security policy and other regulations for wiping hard drives. With the revised NIST guidelines of 2014, the fear of data recovery after one overwriting cycle has been put to rest. NIST clearly suggests that one write pass is sufficient for irretrievable data sanitization. Global government organizations such as NCSC (National Cyber Security Centre), BSI (German Federal Office for Information Security), NIST, and the like, advocate 1 write pass as the safe method for overwriting, when followed by the verification of the overwrite, ensuring that every addressable storage locations have been overwritten.
BitRaser Data Eraser- NIST & DoD Compliant Solution
Whether you prefer to use DoD, NIST, or any other data erasure standards, BitRaser Data Eraser solutions for drive and mobile help meet your requirements for data erasure using 24 global erasure standards. Our data-wiping solutions ensure that no data remains behind on HDDs, SSDs, and mobile devices. Our software is tested and approved by global bodies like NIST, DHS, ADISA, NYCE, etc. The tool generates certificates & reports of wiping that act as audit trails for enterprises & governments, helping them comply with global data protection laws and regulations.
+1-844-775-0101
