For over 17 years, the Department of Defense standard for data erasure – DoD 5220.22-m, often referred to in the industry as simply “DoD wipe” – has been accepted as the standard for data erasure. The DoD standard called for a three-pass approach: overwrite all locations on the drive with a character (for example, a “0”), overwrite that character with its complement (a “1), and finally, overwrite that with a random character.

DoD 5220.22-m: An outdated standard

Much has changed in the field of data-storage technology since the original DoD standard was written in 1995. When DoD 5220.22-m was created, the primary basis for data sanitization practices were magnetic tape, floppy disks and slow, low capacity hard drives. Policies were written to take into consideration both the longevity of information on these media and drives, as well as the physical process by which it could be verified as sanitized.

Flash forward to 2013, and the “DoD three-pass” requirement is viewed in the industry as a request that can be met, but is unnecessary. In the 1990’s, drive head write accuracy was not very precise. Three passes were recommended to be sure that every bit located on the drive had been overwritten at least once. Modern drives write much more accurately than drives from 20 years ago, and really require only one pass to sanitize all data.

In addition, the certified erasure software we have today is accurate and reliable.  It will do one pass plus a verification pass (and document the successful erasure). It also will tell you if a drive fails the erasure or verification, so the drive can be physically destroyed.  This is much more efficient, especially as the time to overwrite grows with the capacity of hard drives.

The standard for 2013

The latest U.S. government standard, developed by the National Institute of Standards and Technology and sponsored by  the Department of Homeland Security, is NIST 800-88. Introduced in the fall of 2006, NIST 800-88 offers a practical approach to information security and media sanitization. The objective of the NIST 800-88 standard is to provide an effective framework and an effective decision-making process to handle media that will be ultimately reused or disposed of.

Two key conclusions from NIST 800-88 are:

• Process should be the main component of effective data destruction policy rather than the number of data overwrites
• A single-pass overwrite is suitable for data destruction, saving time and money while providing secure data destruction

Six years since the NIST 800-88 data-sanitization standard debuted – six years, during which researchers’ results have bolstered the findings of NIST 800-88 – information security and risk management personnel still ask their IT asset disposition (ITAD) and data-erasure partners if they do three-pass sanitization. With professional erasure software, you can do as many passes as you want. Each pass takes additional time, however.  Based on NIST 800-88, university lab research, manufacturers testing and industry experience, a single pass using certified software and the proper procedures will ensure complete data erasure.

Another common misconception is that there is a government certification for data erasure and destruction.  In the U.S., the government does not “certify” any company for data erasure or destruction. The government sets a standard: NIST 800-88. A third-party certification body such as NAID (National Association for Information Destruction) can ensure that the data erasure vendor you choose has processes in place that in compliance with the NIST 800-88 standard, as well as all industry best practices.

Other myths about data erasure

Many misconceptions exist about the process, standards, and technology related to data erasure. Our document, “10 Myths About IT Asset Disposition (ITAD) Data Erasure,” sheds some light on the data erasure process, dispelling some of the most common myths and discussing the best practices for optimizing your organization’s ITAD program in this area.