In actual practice, most commercial data wiping software and hardware products reliably deliver the technology to erase hard drives beyond the possibility of reasonable forensic recovery and to comply with mainstream certification programs. The document does not provide requirements, standards or specifications. The intent of the NIST document is to provide meaningful guidelines for sanitizing electronic media. This document has replaced the DoD standard in terms of regulatory and certification practice, and yet DoD 5220.22-M continues to hang on in marketing statements. These methods include both over-writing and Secure Erase, a protocol built into the hard drive.
Originally issued in 2006 and revised in 2012, SP 800-88 spells out preferred methodologies for wiping hard drives and other media under Minimum Sanitization Recommendations in Appendix A (see our summary of this document here).
Over the past several years, the National Institute for Standards and Technology's (NIST) Special Publication 800-88: Guidelines for Media Sanitization has become the real world reference for data erasure compliance.
For its own classified data, the DoD requires a combination of wiping, degaussing and/or physical destruction. The DoD is not in the business of certifying data destruction standards and has no mechanism for policing any given company's procedures. At some point, this pseudo standard took on a life of its own as third-party computer recycling and refurbishing companies, IT asset disposition (ITAD) firms and other types of organizations asserted DoD compliance on websites and marketing collateral.ĭoD 5220.22-M was never approved by the Department of Defense for civilian media sanitization, and even more importantly, the DoD never intended for it to be a standard for classified data. The fact that the DoD 5220.22-M protocol required three overwriting passes made it seem all the more secure, as did the implied Department of Defense imprimatur. A classic case of echo chamber knowledge distribution, the de facto adaption of this process was more of a marketing phenomenon than it was the result of any official policy supported by the Department of Defense.ĭoD 5220.22-M specifies a process that overwrites data on a hard drive with random patterns of ones and zeros. The DoD 5220.22-M standard for erasing or wiping data from a hard drive emerged early on in the evolving electronic data destruction business.
Independent data erasure verification has moved to the forefront of certified compliance oversight."Approved by DoD" claims are misleading.Multiple overwrite passes can waste time and money.Regulations and certification programs now cite NIST SP 800-88 media erasure guidelines.Department of Defense no longer references DoD 5220.22- M as a method for secure HDD erasure
0 kommentar(er)
