Organizations were once worried about whether data would truly be gone once a device left service. Promises weren’t enough, and the need for a safe, verifiable approach led to the rise of formal data erasure standards.
Following these recognized standards is essential for protecting confidential information, meeting regulatory obligations, and reducing the risk of costly breaches. Two of the most widely used data erasure standards are the DoD 5220.22-M and the NIST 800-88.
But how are these standards actually put into practice? Because applying them requires technical precision and proof of completion, many organizations turn to certified IT Asset Disposition (ITAD) providers. These specialists deliver secure erasure methods, maintain the chain of custody, and issue audit-ready reports that compliance programs demand.
What is the DoD 5220.22-M standard?
The earliest widely recognized framework for data erasure came from the U.S. Department of Defense in the 1990s. Published in the National Industrial Security Program Operating Manual (NISPOM) in 1995, the DoD 5220.22-M method quickly became the default approach for wiping data from storage devices.
The DoD 5220.22-M standard introduced the well-known three-pass overwrite method: first writing a series of zeros across the drive, then ones, and finally a random pattern. Each overwrite cycle was followed by a verification step to confirm that the data had been replaced.
It was designed primarily for magnetic media such as mechanical hard disk drives. As organizations focused more about data security, the DoD method gave IT teams and security officers a clear process to follow.
Challenges and limitations of the DoD 5220.22-M standard
As storage technologies advanced, the method began to show clear drawbacks:
- The method faced difficulties with SSDs, as it was designed for magnetic media. On chip-based storage, repeated overwrites not only failed to fully erase data but also shortened the drive’s limited lifespan.
- The three-pass overwrite approach became outdated, since modern drives require only a single pass for secure erasure. Reflecting this change, the provision was officially removed from NISPOM after 2001.
- The NISPOM does not define a single government-wide standard for data sanitization, but instead leaves that responsibility to Cognizant Security Authorities (CSAs). Different agencies under CSA guidance moved away from DoD 5220.22-M, and many no longer permit its use.
- It was never accepted for top-secret media, which underscored its limits for the most sensitive forms of data.
What is the NIST 800-88 standard?
With the DoD 5220.22-M standard failing to keep pace with newer storage technologies, the need for a modern approach to data erasure became clear.
That need was addressed in 2006, when the National Institute of Standards and Technology (NIST) introduced Special Publication 800-88. Revised in 2014, it quickly became the framework organizations around the world look to for guidance.
Unlike the older overwrite-only approach, NIST 800-88 provides a comprehensive framework that covers magnetic drives, solid-state drives, flash memory, mobile devices, and other forms of storage. It also addresses hidden areas such as Host Protected Areas (HPA) and Device Configuration Overlays (DCO), which earlier standards overlooked.
The standard defines three categories of data sanitization:
- Clear: Logical techniques that overwrite data to protect against basic recovery methods.
- Purge: Advanced methods such as cryptographic erase or block erase, that make recovery infeasible even with laboratory tools.
- Destroy: Physical destruction of the media, rendering it permanently unusable.
Under NIST guidelines, a single overwrite pass is considered sufficient, eliminating the need for multiple passes while still protecting against recovery. This approach reduces time, cost, and environmental impact, especially when dealing with large volumes of assets.
Soon, NIST 800-88 became the recognized industry standard because it combines technical precision with adaptability. By offering methods for both reuse (through secure erasure) and end-of-life destruction, it supports regulatory compliance, asset value recovery, and sustainability initiatives.
Read more: An Introduction to NIST 800-88 and Media Sanitization
Government & industry adoption of the NIST 800-88 standard
The move toward NIST 800-88 started when organizations realized that older overwrite methods no longer worked well with modern storage. Agencies and businesses needed a secure, practical standard that applied to both hard drives and SSDs.
Over time, the U.S. federal policy moved away from prescribing DoD 5220.22-M’s multi-pass overwrite method (used in older NISPOM editions). In the NISPOM Rule effective February 2021, the sanitization specification was dropped, and DoD no longer includes that algorithm in its contractor mandates.
In practice, NIST SP 800-88 (Guidelines for Media Sanitization) has become the reference standard for federal agencies and many industry frameworks. The DAAPM (Defense Authorization/Assessment manual for cleared contractors) and many contract requirements now rely on NIST (or NIST-aligned) controls, though I did not confirm that the 2019 DAAPM explicitly names NIST 800-88 as the one and only sanitization standard. International standards such as ISO/IEC 27040 align with NIST’s clear/purge/destroy model. In certain compliance regimes and industry guidance (e.g., PCI, recycling standards), NIST 800-88 is widely endorsed or referenced as the de facto “best practice,” even if not always mandated explicitly.
For highly classified data, the Department of Defense still requires stronger steps such as degaussing and physical destruction, depending on sensitivity levels.
The IT asset disposition (ITAD) industry has followed the same path. Certified providers now use NIST-compliant erasure tools, maintain a full chain of custody, and issue certificates of destruction to support compliance programs.
DoD vs. NIST: Which data erasure standard is better?
Although the DoD data erasure standard is no longer in use, a quick comparison can help show how it differs from the modern NIST approach.
| Criteria | DoD 5220.22-M | NIST 800-88 |
| First issued | 1995 | 2006 |
| Latest update | 2006 | 2014 (Rev. 1) |
| Core method | Multi-pass overwriting (3–7 passes) | Clear, Purge, Destroy (includes single-pass) |
| Device compatibility | Magnetic, mechanical media | HDDs, SSDs, mobile devices, flash, optical |
| Hidden areas | Not addressed | Covers HPA (Host Protected Areas) and DCOs |
| Efficiency | Time- and resource-intensivev | Faster, cost-effective, environmentally better |
| Verification | Limited (HDDs only) | Full verification and certification reporting |
| Compliance relevance | No longer cited in government frameworks | Referenced in DAAPM, PCI DSS, ISO 27040, R2v3 |
| Current use | Legacy, not recommended | Industry benchmark across government & ITAD |
It’s clear that while the DoD 5220.22-M method played an important role in the past, NIST 800-88 is the recognized standard today. It delivers stronger security across all device types and does so more efficiently than multi-pass overwrites.
NIST methods are also more practical in modern IT environments. They support asset reuse through secure erasure and end-of-life destruction when needed. This flexibility is essential for businesses managing diverse fleets of laptops, servers, smartphones, and flash-based storage.
Compliance has also shifted firmly toward NIST. Government agencies, international standards bodies, and certification frameworks now cite NIST SP 800-88 Rev. 1 rather than DoD 5220.22-M. For organizations, adopting NIST methods is not just about security but about meeting regulatory obligations and passing audits.
Conclusion
The choice of data erasure can still depend on factors such as the sensitivity of the data, the type of device, and an organization’s operational or compliance needs.
We recommend looking to NIST 800-88, which has become the industry standard and is widely supported by government agencies and certification bodies. While both NIST and DoD methods are recognized, the type of device often guides the best approach.
We suggest that organizations view secure erasure not only as a technical requirement but also as a way to remain compliant and protect data throughout the asset lifecycle.
Speak to our in-house Data Destruction expert,
Charles Veprek
Learn more about our certified and compliant data destruction services.
For more articles on data destruction, read:
About the Author
Richy George
Richy George is a 19-year expert in IT Asset Disposition (ITAD) and a key member of the leadership team at ITAMG. With extensive experience in refurbishing and remarketing, Richy is skilled at helping organizations maximize value recovery from their end-of-life IT hardware assets effectively and sustainably.
Charles Veprek
Charles Veprek is a dedicated IT asset disposal professional with 11 years of experience in IT Asset Disposition (ITAD) and a pivotal member of the leadership team at ITAMG. With a strong focus on data security and compliance, Charles helps organizations navigate the complexities of IT asset disposition.