Edition 120, July 2022

Wipe Out! The Ongoing Evolution (and Falling Away) of Data Sanitization Standards

By Karen Fedder, Blancco

In the summer of 1963, a teen surf band called The Surfaris released “Wipe Out,” creating an unexpected instrumental hit. The song reached #2 on the Billboard Top 100 in the US and #5 on the UK Singles Chart. Amid the now-instantly recognizable guitar riffs and drum solos, the only lyrics are those in the name itself: Wipe Out—the term used for falling off a surfboard when riding the waves.

Those of us involved in processing used computers, drives, printers, servers, tablets, and smartphones are all too familiar with “wiping” all data before resale or reuse. Using proper methods and standards, verifying the results, and certifying data destruction, are all essential to proving that data has been permanently removed.

At the same time, ITADs and IT asset recyclers must often ride the waves of changing technologies, data protection regulations, customer requests, and outdated policies. Recommended data sanitization methods can change or fall out of use, triggered by developments in data storage technology, data destruction and recovery tools, and changes within the standards documents themselves. Staying on top of these waves of change is critical to serving customers properly. After all, to achieve true data protection at a competitive price, your customers should know what tactics are outdated, too costly for the level of sanitization achieved, or simply ineffective for the media being erased.   

Below, we’ll summarize a few key developments in software-based data destruction best practices, borrowing heavily from two in-depth blog articles we recommend for further reading. We’ll start with a traditional standard that has long been replaced, then finish with some exciting developments that will affect future approaches to wiping out data, verifying data removal, and achieving true data sanitization across a range of devices.

Primary source: “Everything You Need to Know About the DoD 5220.22-M Disk Wiping Standard & Its Applications Today”, Blancco

When anyone says their solutions meet the DoD 5220.22-M “standard,” it typically means that their software will write to all addressable hard disk drive (HDD) locations with a character, its complement, and a random character (characters are usually ones and zeros). Results are then verified. The procedure is designed to prevent data from being recovered from magnetic drives by standard data recovery processes.

In 1995, before smartphones and the widespread use of flash-based storage, the U.S. Department of Defense (DoD) prescribed this method in its National Industrial Security Program Operating Manual. The manual is also known as “NISPOM,” or DoD document 5220.22-M. NISPOM covered many facets of data security, but this agency-specific, three-pass process soon became known as the DoD 5220.22-M “standard.”

Later, the DoD added an upgraded option. The 2001 DoD 5220.22-M ECE option specified additional overwriting and verification methods for a total of seven passes instead of just three, giving federal contractors two primary data removal methods for HDDs. These were both adopted by many non-federal agencies and private sector organizations.

But a lot has changed since 2001. In fact, the NISPOM hasn’t specified an overwriting pattern for erasing hard drives since at least 2006. More recently, in 2021, the NISPOM became effective as a federal rule. This NISPOM rule “establishes requirements for the protection of classified information disclosed to or developed by contractors, licensees, grantees, or certificate holders to prevent unauthorized disclosure.” Yet again, it never specifies a method of data sanitization. Instead, it defers to cognizant security agencies, or CSAs.

There are several reasons the “formerly known as” DoD method has fallen by the wayside, some of which are below. These reasons may influence you or your customers to consider adopting a different data wiping standard as your primary reference for complete data erasure:

  • The three-pass overwriting approach is now less effective, more resource demanding, and less economical than more modern standards.   
  • DoD 5220.22-M processes are difficult to apply to solid-state drives (SSDs), which pose different issues when needing to completely and permanently erase stored data.
  • Multiple overwrite passes are not always necessary (though they still are sometimes recommended). Due to technological advances since the DoD 5220.22-M method was first published, one overwrite pass is often sufficient, reducing the time and energy resources needed for effective data sanitization. The U.S. National Security Agency (NSA Advisory LAA-006-2004) even stated in fall 2004 that using just one overwrite using the DoD process is sufficient to achieve data sanitization.

Essentially, this method no longer exists as part of any DoD policy or even the new federal NISPOM rule. However, to meet customer requests and policy requirements, the DoD 522.22-M remains available as a data wiping option throughout the best ITADs and data erasure software products. This is because many organizations don’t realize that it has long been superseded by other data sanitization guidance, namely that from the U.S. National Institute for Standards and Technology (NIST).

Primary sources: “Everything You Need to Know About the DoD 5220.22-M Disk Wiping Standard & Its Applications Today,” and “What is NIST 800-88, and What Does ‘Media Sanitization’ Really Mean?” Blancco
In the past few years, NIST Special Publication 800-88, Rev. 1 has become the go-to data erasure standard in the United States. Originally issued in 2006 and revised in December 2014, this publication addresses flash-based storage and mobile devices, which weren’t considered under the DoD process.

NIST’s “Media Sanitization Guidelines” publication is one of the most widely used data sanitization standards requested or required by the U.S. federal government today, and its adoption has spread to countless private businesses and organizations. It is even referenced by other countries and jurisdictions outside the United States. NIST 800-88 has also become a global reference document with principles incorporated into notable international standards such as ISO/IEC 27040:2015. Blancco offers an easy-to-read summary of NIST sanitization guidelines on our website.

NIST defines “sanitization” as “a process that renders access to target data on the media infeasible for a given level of effort.” For digital assets, this sanitization can be achieved through data erasure, cryptographic erasure, and physical destruction methods. NIST 800-88 further outlines three primary sanitization options an organization may choose from to sanitize its data based on confidentiality level and other factors (cost, environmental impact, re-usability, for instance). It even provides a “Media Sanitization Decision Matrix” to help organizations weigh their options for data destruction.

The Blancco article, “What is NIST 800-88, and What Does ‘Media Sanitization’ Really Mean?” goes into greater detail, but essentially, the following NIST options can help ensure that data is not unintentionally accessed from end-of-life IT assets:

  • NIST Clear. This method sanitizes data in all user-addressable storage locations using logical techniques. It is usually applied through the standard Read and Write commands to the storage device. NIST Clear is intended to render data inaccessible when using standard keyboard attempts.
  • NIST Purge. More effective than NIST Clear, this method applies physical or logical techniques that prevent data recovery even when recovery efforts use advanced laboratory or forensic techniques.
  • NIST Destroy. This method relies on physical destruction using state-of-the-art techniques to prevent data recovery, but also prevents the media from being reused for data storage.

NIST 800-88 defines how to use data erasure to achieve full data sanitization through purge-level security for both flash-based and magnetic storage. This is important for both enterprise clients who want to redeploy devices, as well as for ITADs wanting to gain more sellable inventory.

As with DoD 5220.22-M, another important part of NIST Clear and Purge sanitization processes is verification. All too often, confidential data moves from a highly protected data storage environment to a much less protected one, simply because operators believe, but have not verified, that data has been sufficiently removed. To achieve Clear or Purge-level data destruction, you must verify that data has been removed and provide documentation that provides an audit trail for each device.

NIST 800-88 was intended to be general enough to be “evergreen,” even attempting to address technologies that had not yet been developed at the time of publication. However, the general approach behind the standard may not give detailed enough guidance for proving conformance, particularly with newer technologies. After all, the last update was more than seven years ago—and, as with data storage technologies themselves, the winds of change are blowing once again.

Primary source: “Media Sanitization Standards Are Changing for Data Storage Devices, Data-Driven Organizations & Tech Vendors,” International Data Sanitization Consortium

While data storage technologies change significantly around every 18 months, globally referenced guidelines, best practices, and standards may take years to revise.
Thankfully, two key international standards bodies—the Institute of Electrical and Electronics Engineers (IEEE) and the International Organization for Standardization (ISO)—are creating separate, but interrelated, standards that are regularly but independently updated.

Taken together, these voluntary standards would not only specify when sanitization should occur, but how to sanitize various devices. The revision schedules between these two standards are set to more closely keep pace with technological changes in data storage media.
Both standards are moving through their various approval stages, and we encourage you to visit the sites linked within the text below for updates.

Standards Change #1: IEEE P2883 – Standard for Sanitizing Storage

IEEE P2883, as drafted, defines sanitization as “the ability to render access to target data on storage media infeasible for a given level of effort.” It updates, adds to, and reinforces much of the content in NIST 800-88 to address modern technologies, moving from merely offering guidance to providing more solid conformance requirements. It also clarifies distinctions between NIST Clear and NIST Purge.

For instance, currently, one primary distinction is that NIST Clear prevents data access via keyboard attack and NIST Purge prevents access via laboratory attack. However, this leaves room for interpretation as those attack types can shift as technologies and attack methods evolve. To make the distinction clearer, P2883 specifies both methods as well as desired outcomes for various levels of sanitization and verification.

With this conformance clarity, particularly if widely adopted, organizations will be able to make more precise decisions around how they treat their end-of-life IT assets.

Standards Change #2: Update to ISO/IEC 27040

While IEEE P2883 explains how to sanitize various media, ISO/IEC DIS 27040 Information technology — Security techniques — Storage security, also currently under development, will describe when to sanitize.

Data storage has undergone tremendous transformation over the past decade. At one time, businesses operated under more isolated network setups that included physical and geographic security. Now, anywhere/anytime operations exist through remote, virtual, and cloud-based architectures. The updated version of this standard therefore looks at the whole network system, including options for logical and cloud storage in addition to on-premise devices and drives.

Likewise, from a sanitization perspective, the ISO/IEC 27040 draft is radically different from the published standard. For one thing, the draft defers to IEEE 2883, outlined above—rather than NIST—when recommending how specific types of media or logical storage can be sanitized, and which sanitization methods to use.

One of the more important aspects of the revision is the inclusion of multiple “shall” statements, giving clear requirements and actions when determining

  • which points in an asset’s lifecycle (e.g., maintenance, disposal) require sanitization
  • what constitutes compliance, including minimal acceptable conditions for using cryptographic erasure
  • what constitutes a proof, or record, of satisfactory sanitization

The update to ISO/IEC 27040 also broadens instructions on confirming if a particular data sanitization level has been achieved.

While classic surf songs may be entrenched in our culture for decades, data destruction standards do evolve, and it’s important to stay up to date. ITADs and recyclers will always have to respect customer policies and requests when it comes to which data sanitization standard is used on a project. However, being well informed on what sanitization standard is the best fit for today’s technologies will make riding these waves—and protecting customer data—easier.  This benefits both enterprise and government customers and builds trust with the ITADs that serve them.

Karen Fedder
Karen Fedder holds the position of Director of ITAD at Blancco. With 25+ years of professional technology experience, including working with one of the largest hardware distributors in North America and a leading technology escrow company. For the last 10 years, Karen has been with Blancco serving as the ITAD Subject Matter Expert. A regular moderator and thought leadership presenter at ITAD, reverse logistics and technology events, Karen is known as a trusted advisor to the industry. Her articles have been published in RLA magazine and EScrap News, among other industry publications. Karen is an active member of the ISRI Electronics Committee, as well as the Reverse Logistics Association, ASCDI and TERRA. Passionate about promoting the circular economy, Karen focuses on demonstrating how organizations can reduce active touch time and labor costs, while increasing throughput and maximizing device resale value. Look for additional resources at www.blancco.com/ITAD