[Overview] Data Sanitization in the Modern Age: DoD or NIST?

Any organization that handles sensitive customer information has a legal duty to dispose of said information fully and irretrievably when it is no longer in use or required for regulatory purposes. Today, customers have far greater autonomy over how businesses use and store their data, and with cybercrime accelerating, businesses need more comprehensive data protection and data erasure policies across the data lifecycle.

For organizations tasked with fully sanitizing data stored on IT assets, there are several “standards” that may be followed. The two most widely utilized in the US are from the US Department of Defense (DoD) and the National Institute for Standards and Technology (NIST). The DoD standard – DoD 5220.22-M – is 25 years old. The NIST standard – NIST 800-88 – accounts for more recent technologies and technical advancements.

The DoD three-pass standard was last updated in 2006, a time before many of today’s technologies existed. This raises concerns for today’s organizations, as the sanitization of SSDs and other recent storage technologies is not considered by the DoD standard. The most recent standard is the Special Publication 800-88 from NIST, which is the go-to data erasure standard for organizations in the United States.

The table below shows key differences between the DoD standard and the NIST standard.

DoD 5220.22-M or
DoD 5220.22-M ECE
NIST 800-88
Number of overwriting passes3 or 71
Standard last updatedFebruary 2006December 2014
Considers SSD erasureNoYes
Created forGovernmentAll organizations
Verifiably secure method of erasureYes (HDDs only)Yes
Outlines specific data erasure methodsNoYes

Download Best Practice.