Learn About the Limitations of DoD 5220.22 Standard

Written By

Sanjeev Yadav

Updated on

April 8, 2025

What are the Limitations of DoD 5220.22 Standard?

DoD standard prescribes overwriting data on a hard drive using pre-defined binary characters multiple times to ensure that no data is left on the drive. The standard mandates either 3 passes or 7 passes overwrite for removing data permanently from a storage device. However, this is counterproductive, as NIST (National Institute of Standards and Technology) in its NIST SP 800-88 Rev 1 states that, “For storage devices containing magnetic media, a single overwrite pass with a fixed pattern such as binary zeros typically hinders recovery of data even if state of the art laboratory techniques are applied to attempt to retrieve the data.”

Consider the limitations of DoD 5220.22 Wipe standard before deciding whether to use it for wiping drives and devices:

Unsuitable for Erasure of SSDs & SEDs: Flash-memory-based devices like SSDs and Self Encrypting Drives (SEDs) are built differently than Hard Disk Drives (HDD). While HDDs contain movable magnetic parts like the platter on which data is written and the magnetic head which writes the data. SSDs, on the other hand, have no moving parts, and they store data on a series of NAND chips that have a limited number of write cycles. Hence, using a 3-pass method prescribed by the DoD Wipe NISPOM standard is not suitable for SSDs as it reduces the lifespan of the solid-state drives and may leave residual data behind despite multiple overwrite attempts. Likewise, SEDs are built with hardware-based encryption, which encrypts the data using a Media Encryption Key (MEK). DoD standard is silent about how to wipe SED drives and erase MEK.
The NISPOM Operating Manual suggests organizations and system owners refer to NIST SP 800-88 to make sanitization decisions based on the sensitivity of their data. For SSDs, the NIST Clear standard prescribes overwriting using a single pass, and the NIST Purge standard prescribes using either ‘Block Erase’ or ‘Cryptographic Erase’ and, if required, a single overwrite pass afterward.
Excludes Hidden Storage Areas: Another limitation of the DoD 5220.22 standard is that it has no mention of sanitizing data residing in hidden disk areas such as Host Protected Areas (HPA) and Disk Configuration Overlay (DCO). On the other hand, NIST SP 800-88 explicitly emphasizes the importance of sanitizing these hidden areas for secure and complete sanitization.
DoD does not recommend verification: Verification is an important aspect of the erasure process. While newer age standards like NIST and IEEE recommend verification, the DoD standard does not address this; instead, it refers to NIST 800-88 media sanitization guidelines for erasure verification.

Time-Consuming Process: DoD’s overwriting using a 3-pass method can take a very long time to complete, ranging from several hours to even days, which is unnecessary as a single overwrite pass can do the job much more quickly. Sanitization methods like CE can erase data in a fraction of a second, saving time and resources for the organization.
Effectiveness: The DoD standard was introduced long before the arrival of smartphones, IoT (Internet of Things) devices like smart printers, security cameras, smart cars, and other devices like smartwatches, iPads, Chromebooks, etc. These devices can’t be effectively erased using the DoD standard as the standard was not designed for them.
Environmental Concerns: The DoD 5220.22-M method requires multiple overwrite passes (typically 3 to 7 passes), consuming significant CPU power and increasing energy use. This prolonged process contributes to higher electricity consumption in large-scale IT asset disposition (ITAD) operations. Further, repeated overwriting stresses storage devices (HDDs, SSDs), reducing their lifespan and making reuse less viable.

Overall, the DoD Standard is still considered a meaningful data-wiping standard for wiping mechanical drives. It might be a compliance requirement for your organization to wipe using DoD 5220.22-M, or it could be a part of your written data security policy. There is no harm in using DoD even on the modern SSD, except for the fact that their lifespan is reduced. Unless you have DoD compliance requirements, we recommend using the NIST 800-88 standard, which was designed with the latest technological advancements in mind and is now considered the new Gold Standard.

FAQs

Is DoD 5220.22 M still valid?

Department of Defense no longer cites DoD 5220.22-M as a secure standard for data erasure. However, due to its credibility and trust it is still being used extensively by organizations the world over for wiping mechanical hard drives.

What replaced DoD 5220.22 M?

On February 24, 2021, the DoD 5220.22-M was replaced by the NISPOM Rule.

Can you wipe SSD using the DoD Wipe standard?

No, the DoD standard is not suitable for SSDs. SSDs have a limited number of write cycles, and using the DoD’s 3-pass method can reduce their lifespan.

How effective is the DoD standard today?

While the DoD standard can wipe SSD, however, it is not a recommended method to wipe flash-based storage devices like SSDs considering the lifespan of the device can be reduced using multiple overwrite passes.

Do organizations use DoD 5220.22-M for data wiping?

Organizations may still use the DoD standard to meet compliance or internal policy requirements, especially for mechanical drives. However, unless mandated, it's recommended to adopt the NIST 800-88 standard, which is more effective, efficient, and compatible with modern storage technologies.

About The Author

Sanjeev Yadav

57 posts

Sanjeev is a passionate writer with an engineering background, strong research skills, and unbridled enthusiasm to learn. With a rich experience of 14+ years across industries, he brings a fresh perspective to writing on technology and compliance. He enjoys watching movies and sitcom’s in his free time.

Limitations of DoD 5220.22 M Data Wipe Standard

Let’s get started

Submit Enquiry

Stellar Brings to The World Future-Ready Data Solutions