Summary: DoD Data Wipe Standard or DoD 5220.22-M is a highly regarded data wiping standard that is used extensively to wipe mechanical drives. However, the DoD standard has some limitations that make it an unsuitable data-wiping standard in present times for wiping Solid state drives (SSDs). This blog will discuss these limitations to help you make an informed choice when choosing a data-wiping standard for your organization.
The DoD 5220.22-M standard was introduced by the US DoD (Department of Defense) and published in the National Industrial Security Program Operating Manual or NISPOM in 1995. For a very long time, it was the go-to data-wiping standard for government bodies and businesses alike. However, on February 24, 2021, the DoD 5220.22-M was replaced by the NISPOM Rule. The ‘DoD standard’ had several inherent limitations that made it unsuitable for use, especially because of technological advancements in the data storage realm and rapidly changing security considerations. Due to its limitations many government organizations like the Department of Defense, Nuclear regulatory commission, Department of Energy, etc., no longer cite DoD 5220.22-M as a secure standard for data erasure.
What are the Limitations of the DoD Standard?
DoD standard prescribes overwriting data on a hard drive using pre-defined binary characters multiple times to ensure that no data is left intact on the drive. The standard mandates either 3 passes or 7 passes overwrite for removing data permanently from a storage device. However, this is counterproductive, as NIST (National Institute of Standards and Technology) in its NIST SP 800-88 Rev 1 (Page 7, Section 2) states that, “For storage devices containing magnetic media, a single overwrite pass with a fixed pattern such as binary zeros typically hinders recovery of data even if state of the art laboratory techniques are applied to attempt to retrieve the data.”
Consider the limitations of the DoD Wipe standard before deciding whether to use it for wiping drives and devices:
- Unsuitable for SSD Erasure: Solid State Drives are built differently than Hard Disk Drives (HDD). While HDDs contain movable magnetic parts like the platter on which data is written and the magnetic head which writes the data. SSD on the other hand, as the name suggests has no moving parts and it stores data on a series of NAND chips that have a limited number of write cycles. Hence, using a 3 Pass method prescribed by the DoD Wipe standard or the more recent DoD 5220.22-M ECE which prescribes a 7 Pass method is not suitable for SSDs as it reduces the lifespan of the SSD. Therefore a more suitable approach would be to use the NIST standard. For SSDs the NIST Clear standard for media sanitization prescribes overwriting using a single pass and the NIST Purge standard prescribes using either ‘Block Erase’ or ‘Cryptographic Erase’ and if required a single overwrite pass afterward.
- Time-Consuming Process: Storage devices can store thousands of Giga Bytes of data and an organization can have hundreds of such devices. Overwriting using a 3-pass method can take a very long time to complete ranging from several hours to even days which is unnecessary as a single overwrite pass can do the job much more quickly.
- Effectiveness: The DoD standard was introduced long before the arrival of smartphones, IoT (Internet of Things) devices like smart printers, security cameras, smart cars, and other devices like smartwatches, iPads, notebooks, etc. These devices can’t be effectively erased using the DoD standard as the standard was not designed for them.
- Environmental Concerns: The multiple overwrites that are required by the DoD standard may result in increased wear and tear of the storage media on which data wiping is performed. This raises environmental concerns about recycling and asset disposal.
Overall, DoD Standard is still considered a meaningful data-wiping standard for wiping mechanical drives. It might be a compliance requirement for your organization to wipe using DoD 5220.22-M or it can be a part of your written data security policy. There is no harm in using DoD even on the modern SSD except for the fact that their lifespan is reduced. Unless you have DoD compliance requirements, we recommend using the NIST 800-88 standard, which was designed with the latest technological advancements in mind and is now considered the new Gold Standard.
Is DoD 5220.22 M still valid?
Department of Defense no longer cites DoD 5220.22-M as a secure standard for data erasure. However, due to its credibility and trust it is still being used extensively by organizations the world over for wiping mechanical hard drives.
Can you wipe SSD using the DoD Wipe standard?
Yes, you can wipe an SSD using DoD wipe, but it is not recommended as SSDs have a limited number of write cycles. DoD wipe uses 3 passes overwrite method that reduces the lifespan of SSDs. Also, it has been established by NIST that a single pass overwrite is enough for permanent data erasure.
How effective is the DoD standard today?
While the DoD standard can wipe SSD, however, it is not a recommended method to wipe flash-based storage devices like SSDs considering the lifespan of the device can be reduced using multiple overwrite passes.