Confidently erase data in active environments and from used IT assets.
Boost services throughout the device lifecycle—from first sale to end-of-life.
Expedite processes, recover more marketable product, and increase services.
Home » Resources » [Overview] Data Sanitization in the Modern Age: DoD or NIST?
Any organization that handles sensitive customer information has a legal duty to dispose of said information fully and irretrievably when it is no longer in use or required for regulatory purposes. Today, customers have far greater autonomy over how businesses use and store their data, and with cybercrime accelerating, businesses need more comprehensive data protection and data erasure policies across the data lifecycle.
For organizations tasked with fully sanitizing data stored on IT assets, there are several “standards” that may be followed. The two most widely utilized in the US are from the US Department of Defense (DoD) and the National Institute for Standards and Technology (NIST). The DoD standard – DoD 5220.22-M – is 25 years old. The NIST standard – NIST 800-88 – accounts for more recent technologies and technical advancements.
The DoD three-pass standard was last updated in 2006, a time before many of today’s technologies existed. This raises concerns for today’s organizations, as the sanitization of SSDs and other recent storage technologies is not considered by the DoD standard. The most recent standard is the Special Publication 800-88 from NIST, which is the go-to data erasure standard for organizations in the United States.
The table below shows key differences between the DoD standard and the NIST standard.