What Does the DoD Really Say About Hard Disk Destruction?
The “compliant with the DoD standard” is a term often used in the data sanitization industry. But what does this standard actually mean for ITADs, organizations and data sanitization solution providers?
Though the simplest overwrite techniques write the same data everywhere, often just a pattern of all zeros, the DoD standard and others like it take overwriting a step further with prescribed random overwriting methods. At a minimum, such applications will prevent the data from being retrieved through standard data recovery methods.
What is the DoD Standard?
The DoD 5220.22-M “standard” for data erasure from hard drives first appeared in the early days of the still-evolving data sanitization industry. The standard which was published in the National Industrial Security Program’s Operating Manual in 1995, specifies a process overwriting hard drives with patterns of ones and zeros. The process requires three secure overwriting passes and verification at the end of the final pass.
The DoD 5220.22-M data sanitization method is usually implemented in the following way:
- Pass 1: Overwrite all addressable locations with binary zeroes.
- Pass 2: Overwrite all addressable locations with binary ones (the compliment of the above).
- Pass 3: Overwrite all addressable locations with a random bit pattern
- Verify the final overwrite pass.
Erasing a hard drive using the DoD 5220.22-M data sanitization method will prevent all software-based file recovery methods from recovering data from the drive, as well as hardware-based recovery methods.
A 2001 DoD memo specified additional overwriting methods that have somehow become adopted as part of the “standard.” The DoD 5220.22-M ECE method is an extended (7-pass) version of the DoD 5220.22-M. It runs the DoD 5220.22-M twice, with an extra pass (DoD 5220.22-M (C) Standard) sandwiched in between. The latest version of “standard,” last updated in 2007, no longer specifies an overwriting pattern.
The DoD 5220.22-M sanitization method is one of the most common sanitization methods used in data destruction software. Most data sanitization software supports multiple data sanitization methods, including DoD 5220.22-M.
The Truth Behind the Standard
Today, the DoD 522.22-M “standard” is often superseded by other data sanitization standards, such as NIST 800-88 Clear and NIST 800 88 Purge.
This is true for the following reasons:
- The U.S. Department of Defense no longer references DoD 5220.22- M as a method for secure HDD erasure.
- Most regulations and certification programs (especially in the government sector) now cite NIST SP 800-88 media erasure guidelines, not the DoD “standard.”
- DoD 5220.22-M method is no longer permitted for use by various members of the CSA including the Department of Defense, the Department of Energy, the Nuclear Regulatory Commission and the Central Intelligence Agency.
- Multiple overwrite passes are not always necessary. One overwrite pass is often sufficient.
- For its own classified data, the DoD requires a combination of wiping, degaussing and/or physical destruction.
- The 1995 edition of the NISP Operating Manual (DoD 5220.22-M) provision was removed in a 2001 change to the manual (listed above- 22-M ECE) and was never permitted for Top Secret media.
- The NISPOM does not define any US government standard for data sanitization. The Cognizant Security Authority (CSA) is responsible for data sanitization standards.
- DoD 5220.22-M was never approved by the Department of Defense for civilian media sanitization.
- “Approved by DoD” claims are misleading, though achieving the overwriting method outlined by the DoD “standard”is certainly possible.
In the IT Asset Disposition (ITAD) space, operators and customers often cite a “DoD certification,” but the reality is that no such certification exists. Instead, the US Department of Defense adheres to NIST 800-88 Guidelines for Media Sanitization; however, this is a guideline, not a certification. In the UK, the gold standard certification in the ITAD industry is CESG, a certification administered by a UK government affiliate and surpasses both DoD and NIST guidelines.
A Focus on NIST
In the past few years, NIST (the National Institute for Standards and Technology) Special Publication 800-88. has become the go-to data erasure standard in the United States. Originally issued in 2006 and revised in 2012, this publication outlines the preferred methodologies for data sanitization for hard drives and other media under Minimum Sanitization Recommendations in Appendix A. These methods include overwriting and Secure Erase, which is a protocol built into a hard drive.
The NIST Special Publication 800-88 was published with the intent to provide guidelines for sanitizing electronic media. The document does not, however, provide standards, requirements or specifications.
What Does It Mean to Erase to the DoD Standard?
We’ve already noted that the latest version of the U.S. Department of Defense’s National Industrial Security Program Operating Manual DoD 5220.22-M does not actually specify any particular method for achieving secure erasure, so in no way is the manual actually a standard.
The guide does state, however, that instructions on clearing, sanitization and release of IS media shall be issued by the accrediting CSA. Standards for data sanitization are the responsibility of the Cognizant Security Agency, which can be the Department of Defense (DoD), the Department of Energy (DOE), the Natural Resources Commission (NRC) and the Central Intelligence Agency (CIA).
When vendors state that their solutions meet the DoD 5220.22-M standard, it typically means that their software will write to all addressable hard drive locations with a character, its complement and a random character. It must also then be followed by verification. The procedure is performed three times and is designed to prevent data from being recovered by any commercially available process.
It’s important to note that the U.S. National Security Agency (NSA Advisory LAA-006-2004) stated in fall 2004 that using just one overwrite using the DoD process is sufficient to achieve data sanitization. However, disk wiping software cannot sanitize hard drives that have physically failed, or disconnected internal hard drives.
Physical Destruction vs. Data Erasure
If your drives are no longer required, another method to achieve data sanitization is physical destruction, through melting, crushing, incineration or shredding. Physical destruction is not ideal if you want to reuse your drives, as they’ll be completely destroyed, but even this method isn’t necessarily absolute. If any disk pieces remain large enough after destruction (especially on SSDs), they can still contain recoverable information. Data erasure software doesn’t leave information behind, and the disks can be reused after they’re erased, preserving costs.
Whichever method you choose, whether it be physical destruction or data erasure software, your organization must first have policies in place to govern hard drive disposal, along with data sanitization for other IT assets, including servers, laptops and removable media. These policies should include training for employees so that they can take proven steps to keep data out of harm’s way. The FTC’s Fair and Accurate Credit Transactions Act (FACTA) rule is just one of the many regulations that governs the proper storage and disposal of specific consumer information and requires that such information is disposed of properly.
The best way to ensure data removal for the “highest security environments” is to combine software-based data erasure with physical destruction. That way, there’s absolutely no chance the data can we recovered from any fragments because it has been removed completely.
