Moorepay logo Cutting edge payroll software
  • Powerful and easy to use
  • HMRC & RTI compliant
  • Used by payroll pros
Pipedrive logo The CRM platform to grow your business
  • Great for entrepreneurs
  • Powerful data analytics
  • Manage sales and data
Wix logo Powerful web builder and advanced business tools
  • Great for startups
  • Powerful web page builder
  • E-commerce available
Planable logo Supercharged content planning
  • Great for marketing
  • Better than lists or sheets
  • Manage social media
Webador logo Create a new website in 10 minutes. Easy.
  • Launch your website fast
  • Powerful data intuitive
  • No coding skills needed


DoD 5220.22 M vs NIST 800-88 – which is better for your business?

Updated on 14 December 2023

DoD 5220.22-M is a standard that provides guidance on the sanitisation of data storage media. We’ll look at whether the DoD 5220.22-M standard is still relevant today, and if the updates over the years are still effective with the advances in technology. It is not the only standard that businesses should consider when it comes to data sanitisation.

Quick, easy, no commitment!

In this article, we will discuss what the DoD 5220.22-M is, and we will compare it to NIST 800-88. We will also explain which method is right for you when erasing data to the DoD Standard.

What is the DoD 5220.22-M?

The DoD 5220.22 data destruction standard first appeared in 1995, long before the widespread use of smartphones, tablets, and flash-based storage technology. It provides guidance on the sanitisation of data storage media. It is used by businesses and organisations to protect their data from unauthorised access and disclosure.

Moorepay logo Cutting edge payroll software
  • Powerful and easy to use
  • HMRC & RTI compliant
  • Used by payroll pros
Pipedrive logo The CRM platform to grow your business
  • Great for entrepreneurs
  • Powerful data analytics
  • Manage sales and data
Wix logo Powerful web builder and advanced business tools
  • Great for startups
  • Powerful web page builder
  • E-commerce available
Planable logo Supercharged content planning
  • Great for marketing
  • Better than lists or sheets
  • Manage social media
Webador logo Create a new website in 10 minutes. Easy.
  • Launch your website fast
  • Powerful data intuitive
  • No coding skills needed

How is the DoD 5220.22 M implemented?

The process for the 5220.22-M 3 pass is as follows:

The DoD 5220.22-M 3 pass method
First pass: All addressable locations are overwritten with binary zeroes
Second pass: All addressable locations are overwritten with binary ones
Third pass: All addressable locations are overwritten with a random character

In 2001 the DoD released an update to the DoD 5220.22-M standard, which changed the recommended number of overwrite passes from three to seven.

The DoD Standard (DoD 52 The process for the 5220.22-M 7 pass is as follows:

  1. First pass: All addressable locations are overwritten with a random character
  2. Second pass: All addressable locations are overwritten with binary zeroes
  3. Third pass: All addressable locations are overwritten with the complement of the data from the second pass (binary ones)
  4. Fourth pass: All addressable locations are overwritten with binary zeroes
  5. Fifth pass: All addressable locations are overwritten with binary ones
  6. Sixth pass: All addressable locations are overwritten with the complement of the data from the fourth pass (binary ones)
  7. Seventh pass: All addressable locations are overwritten with a random character

DoD 5220.22-M is a standard that provides guidance on the sanitisation of data storage media, and it is still used by businesses and organisations today.

What are the limitations of DoD 5220.22-M?

DoD 5220.22-M is a recognised global standard for the sanitisation of data storage media, but it has some limitations. It was last updated in 2006, so it does not reflect advances in technology that have been made since then. Today’s hard drives are far more accurate and employ entirely different writing techniques, thus this type of recovery as a security risk is no longer an issue, for example it can’t wipe SSD hard drives. Yet because even historical Department of Defense standards are held in high esteem and carry great credibility, organisations’ internal policies and information security teams may still require it.

What is NIST 800-88?

The NIST 800-88 standard is an alternative to the DoD 5220.22 standard and was developed by the National Institute of Standards and Technology(NIST) to address the rapidly developing technical changes, ie SSD. NIST 800-88 is a standard that is required for all U.S. federal information systems, including those in the national security sector. Although it is technology-neutral, its standards can be implemented by any organisation that maintains an information system with sensitive or regulated data.

Clear 

This applies logical techniques to sanitise data in all user-addressable storage locations. This option is a good choice for individuals who want to preserve their files as well as prevent data recovery attempts using simple, non-invasive recovery methods. The procedure for deleting data from a storage device is to use the Read/Write command. This might include replacing the value or using a menu option to reset the device to its original condition. The sanitisation process begins with the data being erased and checked. The majority of devices are able to undergo some form of Clear sanitation. However, it does not address hidden or unaddressed regions.

Purge

This applies physical or logical techniques that render target data recovery infeasible using state-of-the-art laboratory techniques. It’s more thorough than Clear in terms of sanitisation and is used for data with higher security requirements. The last step verifies the write on the drive.

Destroy 

This renders target data recovery infeasible using modern destruction techniques. It also renders the media incapable of storing data afterward. In many situations, Purge and Clear is a better choice than Destroy. This is because Destroy makes media unusable while also contributing to environmental waste.

The revised NIST 800–88 standard was released in 2014 and is still the federal government’s preferred standard for data deletion. It supersedes DoD 5220.22, which was previously the federal government’s recommended standard for data removal.

Following these steps, each device must be verified and certified for data deletion. NIST 800–88 is the most up-to-date and secure method for dealing with your company’s retired mobile devices.

Difference between DoD 5220.22 M vs NIST 800-88

The 5220.22-M data destruction is extremely secure, however, in today’s standards requiring a higher level of data erasure, it may be deceptive. The current and most up-to-date standard for encryption is NIST 800–88, which has been authorised by the United States federal authorities. The DoD 5220.22 standard for data destruction is now obsolete, as it was written before smartphones and many of today’s technologies existed. It’s also time-consuming and expensive, with three to seven overwrite passes required.

The NIST 800–88 standard is the most up-to-date method, which takes into account more new technologies, technical advancements, and media types while only requiring one overwriting pass.

The DoD 5220.22 standard, which applies to all DoD-issued laptops and desktops, restricts it to Hard Disk Drive (HDD) storage systems rather than the more popular Solid State Drives (SSD) used in mobile devices. NIST 800–88 applies to both HDDs and SSDs while also including many other types of tech and media.

The most common and widespread blueprint for data deletion is NIST 800–88, which has been adopted by more than 80 countries. Today, it’s the preferred, highest standard of data destruction — even for government sectors. The two standards are useful in different ways; however, NIST 800–88 offers the greatest degree of data security.

FAQ

What is DoD 5220.22-M?

The DoD 5220.22-M standard is a data sanitisation method used by the US Department of Defense. It has 3 pass and 7 pass methods that overwrite data on a storage device to prevent data recovery.

What is NIST?

NIST is the National Institute of Standards and Technology. It is a federal agency that develops technical standards for information security, including data sanitisation.

What is the difference between DoD 5220.22-M and NIST 800-88?

The DoD 5220.22-M standard is obsolete and has been replaced by the NIST 800-88 standard. NIST 800-88 is a more up-to-date standard that takes into account more new technologies, technical advancements, and media types.

Which method is right for you?

The DoD 5220.22-M standard is a very secure method of data sanitisation; however, it may be time-consuming and expensive, with three to seven overwrite passes required. The NIST 800–88 standard is the most up-to-date method, which takes into account more new technologies, technical advancements, and media types while only requiring one overwriting pass. NIST 800–88 is the preferred, highest standard of data destruction for government sectors.

Reviewed by , Managing Director

Compare ⓘ