Any organization that handles sensitive customer information has a legal duty to dispose of said information fully and irretrievably when it is no longer in use or required for regulatory purposes. Today, customers have far greater autonomy over how businesses use and store their data, and with cybercrime accelerating, businesses need more comprehensive data protection and data erasure policies across the data lifecycle.
For organizations tasked with fully sanitizing data stored on IT assets, there are several “standards” that may be followed. The two most widely utilized in the US are from the US Department of Defense (DoD) and the National Institute for Standards and Technology (NIST). The DoD standard – DoD 5220.22-M – is 25 years old. The NIST standard – NIST 800-88 – accounts for more recent technologies and technical advancements.
The DoD three-pass standard was last updated in 2006, a time before many of today’s technologies existed. This raises concerns for today’s organizations, as the sanitization of SSDs and other recent storage technologies is not considered by the DoD standard. The most recent standard is the Special Publication 800-88 from NIST, which is the go-to data erasure standard for organizations in the United States.
The table below illustrates the key differences between the DoD standard and the NIST standard.
|DoD 5220.22-M or|
DoD 5220.22-M ECE
|Number of overwriting passes||3 or 7||1|
|Standard last updated||February 2006||December 2014|
|Considers SSD erasure||No||Yes|
|Created for||Government||All organizations|
|Verifiably secure method of erasure||Yes (HDDs only)||Yes|
|Outlines specific data erasure methods||No||Yes|
To continue reading, download the full PDF above.