NIST 800-88 vs DoD 5220.22-M
Two of the most frequently cited data sanitization standards are NIST Special Publication 800-88 and DoD 5220.22-M. While both address the same core problem — ensuring data is irrecoverable — they differ significantly in scope, flexibility, and current relevance.
Overview of Each Standard
NIST SP 800-88 Rev. 1
Published by the National Institute of Standards and Technology, most recently revised in December 2014. It provides comprehensive guidelines for media sanitization across all media types and organizational contexts.
- • Defines three categories: Clear, Purge, Destroy
- • Media-type specific guidance
- • Risk-based decision framework
- • Widely adopted across government and private sector
DoD 5220.22-M
Originally from the National Industrial Security Program Operating Manual (NISPOM), published by the Department of Defense. The sanitization table was removed in the 2006 revision, but the legacy 3-pass and 7-pass overwrite methods remain widely referenced.
- • Legacy: 3-pass or 7-pass overwrite patterns
- • Originally designed for magnetic media
- • DoD now defers to NIST 800-88
- • Still referenced in older contracts and policies
Key Differences
| Aspect | NIST 800-88 | DoD 5220.22-M |
|---|---|---|
| Current status | Active — current standard for federal agencies | Legacy — sanitization table removed in 2006 revision |
| Approach | Risk-based, media-aware framework with three sanitization levels | Prescriptive multi-pass overwrite pattern |
| Media coverage | All types — HDDs, SSDs, flash, optical, tape, mobile devices, networking equipment | Primarily magnetic media (HDDs, tapes) |
| SSD support | Yes — addresses wear leveling, over-provisioning, and recommends cryptographic erase or Destroy | No — multi-pass overwrite is ineffective on SSDs due to wear leveling |
| Flexibility | High — organizations choose the level based on data sensitivity and media destination | Low — single prescribed overwrite pattern |
| Verification guidance | Detailed verification procedures for each sanitization level | Limited verification guidance |
Why DoD 5220.22-M Is Considered Outdated
Despite its continued name recognition, DoD 5220.22-M has several significant limitations in modern environments:
- The DoD itself no longer uses it. The Department of Defense updated NISPOM in 2006 and removed the sanitization matrix. DoD components now follow NIST 800-88.
- Multi-pass overwrite is unnecessary for modern HDDs. Research has shown that a single overwrite pass on modern high-density drives is sufficient to render data unrecoverable. NIST 800-88 reflects this finding.
- It does not address SSDs or flash storage. The multi-pass overwrite technique is ineffective on solid-state drives due to wear leveling, garbage collection, and over-provisioned storage areas that overwrites cannot reach.
- No risk-based framework. It prescribes one approach regardless of data sensitivity or media destination, which can lead to over-treatment (wasting time) or under-treatment (insufficient for high-security data).
Which Standard Should You Use?
For most organizations, NIST 800-88 is the correct choice. It is the current federal standard, is accepted by all major regulatory frameworks (HIPAA, PCI-DSS, GDPR), and provides appropriate guidance for all modern storage media.
The main scenario where DoD 5220.22-M may still be relevant is when an older contract or policy explicitly requires it by name. Even then, confirming with the contracting party whether NIST 800-88 is acceptable is recommended.
CertDestroy supports both standards. When generating your certificate, select the standard that matches your compliance requirement.
Related Resources
Generate Your Data Destruction Certificate
Create a professional, compliance-ready certificate of data destruction in minutes. Upload your asset inventory, fill in the details, and receive a polished PDF.
Create a Certificate — $29