DOD 5220.22... Does Deletion Software Get It Right?

The DOD 5220.22 M is a standard set by the U.S. Department of Defense (DOD) to sanitize computer disks and data so that it can never be recovered.

It's pretty obvious why the DOD may want to ensure that defense secrets are erased beyond recovery when hardware and software are disposed of. But what about the rest of us? Why would we need to erase beyond discovery?

Well, please take a read of my article, Permanently Delete Files So Personal Information Is Irrecoverable, to understand why you should take special measures to guard privacy.

Most people believe that they do permanently delete their data. However, clicking delete, emptying the Recycle Bin or even formatting the drive doesn't get rid of files. The digital information still remains on the drive we are using. This is known as data remanence -- the residual representation of data that remains even after attempts have been made to remove or erase the data.

So, when we delete, it's simply the pathway to the file(s) that's removed from the file system directory -- the data itself is reserved for overwriting with new content. However, even when the data is overwritten, the whole file may not be filled and these remnants can be recovered to form a pretty good picture of what was there before.

Let's have a look at where the DOD 5220.22 comes in...

  1. DOD 5220.22 M Explained
  2. Where Has the DoD 5220.2 Misinformation Come From?
  3. In Summary
  4. The Deletion Program I Use and Recommend
  5. Supporting Articles

DOD 5220.22 M Explained

Several standards exist for the secure removal of data and data remanence. Many countries have developed sanitisation processes which include, specific overwriting techniques, degaussing, encryption and physical destruction.

In the United States, DoD 5220.22-M is the policy document for all standards regarding security. If you visit 'DoD Issuances' (The Official Department of Defense Website for DoD Issuances), you will see the most recent issuance of DoD 5220.22-M, February 28, 2006 (see also DTM-09-019), National Industrial Security Program Operating Manual (NISPOM).

This is a massive tomb and covers...

  1. security clearance
  2. security training
  3. security classification
  4. safeguarding classified information
  5. visits and meetings
  6. subcontracting
  7. information system security
  8. special requirements
  9. international security requirements
and some general information.

Under Chapter 8, 'Information System Security', Section 3. 'Common Requirements', there are the following clauses:

"8-301. Clearing and Sanitization. Instructions on clearing, sanitization and release of IS media shall be issued by the accrediting CSA.

a. Clearing. Clearing is the process of eradicating the data on media before reusing the media in an environment that provides an acceptable level of protection for the data that was on the media before clearing. All internal memory, buffer, or other reusable memory shall be cleared to effectively deny access to previously stored information.

b. Sanitization. Sanitization is the process of removing the data from media before reusing the media in an environment that does not provide an acceptable level of protection for the data that was in the media before sanitizing. IS resources shall be sanitized before they are released from classified information controls or released for use at a lower classification level."

That's it!! No specified number of passes as claimed by many authors and data destruction companies. So, there is no specific wipe procedure within the DoD 5220.2-M. It does state that the procedure is determined by the 'CSA' -- the 'Cognizant Security Agency'. This is a government agency, such as the DoD or CIA, for instance, who will specify the clearing and sanitization procedure. So, in reality, the 5220.2 is being misquoted by disk deletion developers.

Where Has the DoD 5220.2 Misinformation Come From?

Daniel B. Sedory, offers a partial explanation of where the DoD 5220.22 three overwrites and the enhanced seven overwrites is derived. From further research, he goes on to state that, as of November 2007, the United States Department of Defense considers overwriting acceptable for clearing magnetic media providing it remains in the same security area. but not as a sanitization method. Only degaussing or physical destruction is acceptable for sanitization.

The work of Wright et al. Overwriting Hard Drive Data: The Great Wiping Controversy showed that a single wipe of a modern drive was sufficient to prevent forensic recovery of data.

In Summary

Although references to the DoD 5220.22 by deletion software developers is erroneous, it doesn't mean their software is not doing its job, as the software will still be erasing data with 3 overwrites. From current studies, we know modern magnetic drives receiving one overwrite will render the information irrecoverable, so 3 overwrites just builds in a safety factor.

The Deletion Program I Use and Recommend

I recommend and use CyberScrub deletion software. It is installed on your computer to overwrite deleted data to your determined level... 1 pass or up to Gutmann (35 passes). CyberScrub Privacy Suite will probably suit most people but if you want to securely wipe external media, such as USB sticks, CD/DVD and external hard drives, CyberScrub Security is the one to go for. For businesses that have Regulatory Compliance, then these programs meeting document life-cycle policies for HIPAA, Sarbanes-Oxley, FACTA and GLB.

I go into more detail about this software in my article, Permanently Delete Files with CyberScrub.

Alternatively, see,

CyberScrub Security Information and Try the 15 Day Free Trial


Supporting Articles

  1. How To Manually Delete Cookies and Internet History
  2. Why You Should Permanently Delete Files
  3. Delete Browsing History To Stop Tracking Cookies and Snoops!
  4. CCCleaner Is A Fast and Effective Free Shredder
  5. Why You Should Use a File Shredder and The Best Free Software
  6. Learn More About How This Top File Deletion Software Operates
  7. New! Comments

    Have your say about what you just read! Leave me a comment in the box below.