DoD 5220.22-M & NIST 800–88 Data Destruction
What’s the difference, and why are they important?
Why Data Destruction Matters.
Every 39 seconds, a hacker attacks an individual or organization.⁴
In 2020, there were 3,950 confirmed data breaches.⁵
There are many precautions organizations can take to mitigate the likelihood of a data breach, but one of the most critical steps is ensuring the proper destruction of valuable company data from retired corporate-issued devices.
Two of the most rigorous methods of data destruction are the United States Department of Defense (DoD) standards and the National Institute for Standards and Technology (NIST) Guidelines for media sanitation.
Let’s take a look at each of these methods and why they matter in today’s mobile device policies and procedures.
What is the DoD 5220.22-M standard for data destruction?
The DoD 5220.22 method for data erasure first appeared in 1995 — long before the widespread usage of smartphones, tablets, and flashed-based storage technology. It has become the most common, readily available, and minimum level of data-destruction, serving as the “standard” for any data-erasure process.³
This process only applies to Hard Disk Drives (HDD) and requires overwriting hard disk drives with patterns of ones and zeros in three secure overwriting passes and verification at the end of the final pass.³
- Pass 1: Overwrite all addressable locations with binary zeroes.
- Pass 2: Overwrite all addressable locations with binary ones, complimenting Pass 1.
- Pass 3: Overwrite all addressable locations with a random bit pattern.
- Verify the final overwrite pass.
- Physical destruction of mobile devices when necessary.
DoD 5220.22 had its last major update in 2006, meaning it’s been 15 years since the update of this standard. The Department of Defense no longer references DoD 5220.22 as a secure method of data erasure. Most government and regulation/certification programs now cite NIST 800–88 as the recommended standard.³
What is the NIST 800–88 standard for data destruction?
NIST 800–88 refers to the National Institute for Standards and Technology Guidelines for media sanitization.² It is the most updated and recommended level of data destruction in the industry.
Published in 2006 with multiple updates since, NIST 800–88 picked up where the DoD 5220.22 standard left off. It universally applies to technology and various other media types — even those that may not have been invented yet. It also considers both storage systems for devices — hard disk drives and solid state drives — making it applicable to a broader range of devices.¹
NIST 800–88 provides three methods of dealing with end-of-life data on devices and preventing unauthorized access: Clear, Purge, and Destroy.²
- Clear applies logical techniques to sanitize data in all user-addressable storage locations. Applied through standard Read/Write commands to the storage device, it protects against simple, non-invasive data recovery techniques.
- Purge applies physical or logical techniques that render target data recovery infeasible. It utilizes state-of-the-art laboratory techniques to remove hidden storage drives and trigger a firmware-based command to the drive. The last step verifies the write on the drive.
- Destroy renders media unusable and incapable of storing data afterward. It utilizes physical techniques like shredding, melting, or incinerating to destroy storage systems and their data. In situations where storage drives are beyond possible use or standard overwriting methods, this method is necessary. Purge or clear methods should be enacted first, as destroy methods contribute to environmental waste.
NIST 800–88 had its last major update in 2014. It is still the level of data destruction recommended — and sometimes required — standard by the U.S. Federal Government, superseding the outdated DoD 5220.22 standards.²
Following these processes, verification and certification of data destruction for each device are required.² NIST 800–88 is the most updated and secure process available to date for handling your organization’s retired mobile devices.
Why are the DoD 5220.22 and NIST 800–88 standards important?
Both the DoD 5220.22 and NIST 800–88 standards are essential, as they both take action towards your company’s data security. They involve preventive action on the data storage systems of your company’s mobile devices, making it more difficult for unauthorized access or worse — data breaches — to occur.
Regardless, a DoD 5220.22 or NIST 800–88 data destruction process is better than a device factory reset and takes your company data security to the next level, protecting your organization, employees, and customers.
It is also recommended that the process utilized is verified and certified to provide your company with proper audit protection for the future.
Which is better — DoD 5220.22 or NIST 800–88?
Department of Defense 5220.22-level data destruction sounds very secure and valid. However, it can be misleading for today’s standards requiring a higher level of data-erasure.
NIST 800–88 is the current and updated standard that is recommended by the US federal government.
DoD 5220.22 is an outdated method of data destruction created before smartphones and many of today’s technologies existed. It is also inefficient and costly as it requires three to seven overwriting processes.
NIST 800–88 is a more current process that accounts for more recent technologies, technical advancements, and media types while only requiring one overwriting pass.¹
DoD 5220.22’s applications limit it to Hard Disk Drive (HDD) storage systems and not the widely-common Solid State Drives (SSD) used in mobile devices.
NIST 800–88 applies to both HDDs and SSDs while also including many other types of tech and media.
As the world continues to evolve, so do the cyber criminals wanting access to your valuable company data. Only utilizing DoD 5220.22, a 25+ year-old process that hasn’t been updated in almost 15 years, does not provide maximum security for your organization.
Today, NIST 800–88 is the preferred, highest standard of data destruction — even for government sectors. Either standard is beneficial, but NIST 800–88 provides the highest level of data protection of the two.
Why Your Business Should Partner with a Vendor Using These Standards.
As you search for a mobile device recovery vendor to partner with, ensure their data erasure practices meet or exceed DoD 5220.22 and/or NIST 800–88 standards. Proper verification and certification of data destruction by the vendor are critical to protecting your organization for the future.
Mobile reCell provides the only software-driven solution for corporate-owned mobile device recovery. We offer a software-driven, automated process that follows, verifies, and certifies DoD 5220.22 and NIST 800–88 standards for data destruction. Our proprietary software provides visibility and detailed reporting through the entire device recovery process — device shipment tracking, functionality testing, NIST 800–88-compliant data destruction, cosmetic condition grading, and reselling or recycling.
Want to Learn More?
Visit us at mobilerecell.com to learn more about a mobile device recovery solution for your company.
- Blancco. Data Sanitization in the Modern Age: DoD or NIST? https://www.blancco.com/resources/bp-data-sanitization-in-the-modern-age-dod-or-nist/
- Blancco. What is NIST 800–88, and What Does “Media Sanitization” Really Mean? https://www.blancco.com/blog-what-is-nist-800-88-media-sanitization/#:~:text=NIST%20800%2D88%20is%20widely,intended%20to%20be%20technology%20specific
- Blancco. Everything You Need to Know About the DoD 5220.22-M Wiping Standard & Its Applications Today. https://www.blancco.com/blog-dod-5220-22-m-wiping-standard-method/
- Cybint. 15 Alarming Cyber Security Facts and Stats. https://www.cybintsolutions.com/cyber-security-facts-stats/
- Varonis. 98 Must-Know Data Breach Statistics for 2021. https://www.varonis.com/blog/data-breach-statistics/