Moving Beyond DoD 5220.22-M:

The Data Wipe “Standard” That Would Not Die

Not a day goes by that we don't come across yet another reference to sanitizing hard drives in compliance with the Department of Defense Standard Dod 5220.22-M. Otherwise known as the data erasure standard that never was..

The DoD 5220.22-M standard for erasing or wiping data from a hard drive emerged early on in the evolving electronic data destruction business. A classic case of echo chamber knowledge distribution, the de facto adaption of this process was more of a marketing phenomenon than it was the result of any official policy supported by the Department of Defense.

DoD 5220.22-M specifies a process that overwrites data on a hard drive with random patterns of ones and zeros. The fact that the DoD 5220.22-M protocol required three overwriting passes made it seem all the more secure, as did the implied Department of Defense imprimatur. At some point, this pseudo standard took on a life of its own as third-party computer recycling and refurbishing companies, IT asset disposition (ITAD) firms and other types of organizations asserted DoD compliance on websites and marketing collateral.

DoD 5220.22-M was never approved by the Department of Defense for civilian media sanitization, and even more importantly, the DoD never intended for it to be a standard for classified data. The DoD is not in the business of certifying data destruction standards and has no mechanism for policing any given company's procedures. For its own classified data, the DoD requires a combination of wipingdegaussing and/or physical destruction.

Continue the story here or download our paper.