SPE1.1.0.2
MEDIA SANITIZATION TECHNIQUES

SUMMARY
(NIST SP 800-88)
Information systems capture, process, and store information using a wide variety of media.
This information is not only located on the intended storage media but also on devices used to
create, process, or transmit this information. These media may require special disposition in
order to mitigate the risk of unauthorized disclosure of information and to ensure its
confidentiality. Efficient and effective management of information that is created, processed,
and stored by an information technology (IT) system throughout its life, from inception
through disposition, is a primary concern of an information system owner and the custodian of
the data.
With the use of increasingly sophisticated encryption, an attacker wishing to gain access to an
organization’s sensitive information is forced to look outside the system itself for that
information. One avenue of attack is the recovery of supposedly deleted data from media.
These residual data may allow unauthorized individuals to reconstruct data and thereby gain
access to sensitive information. Sanitization can be used to thwart this attack by ensuring that
deleted data cannot be easily recovered.
When storage media are transferred, become obsolete, or are no longer usable or required by
an information system, it is important to ensure that residual magnetic, optical, electrical, or
other representation of data that has been deleted is not easily recoverable.
Sanitization refers to the general process of removing data from storage media, such that there is reasonable assurance that the data may not be easily retrieved and reconstructed.
Note
: Wherever possible, excess equipment and media should be made available to schools and non-profit organizations to the extent permitted by law.
PURPOSES AND SCOPE OF DIGITAL DATA SANITATION
The information security concern regarding information disposal and media sanitization resides not in the media but in the recorded information. The issue of media disposal and sanitization is driven by the information placed intentionally or unintentionally on the media.
With the advanced features of today’s operating systems, electronic media used on a system should be assumed to contain information commensurate with the security categorization of the system’s confidentiality. If not handled properly, release of these media could lead to an occurrence of unauthorized disclosure of information.
Categorization of an information technology (IT) system in accordance with Federal Information Processing Standard (FIPS) 199, Standards for Security Categorization of Federal Information and Information Systems, is the critical first step in understanding and managing system information and media.
Тhe system owner should refer to NIST Special Publication (SP) 800-53, which specifies that:
- Тhe organization sanitizes information system digital media using approved equipment, techniques, and procedures.
- The organization tracks, documents, and verifies media sanitization and destruction actions and periodically tests sanitization equipment/procedures to ensure correct performance.
- The organization sanitizes or destroys information system digital media before its disposal or release for reuse outside the organization, to prevent unauthorized individuals from gaining access to and using the information contained on the media.
DIFFERENT LEVELS SECURITY
CLEAR
One method to sanitize media is to use software or hardware products to overwrite storage space on the
media with non-sensitive data. This process may include overwriting not only the logical storage location of a
file(s) (e.g., file allocation table) but also may include all addressable locations. The security goal of the
overwriting process is to replace written data with random data. Overwriting cannot be used for media that are
damaged or not rewriteable. The media type and size may also influence whether overwriting is a suitable
sanitization method [SP 800-36].
PURGE
Degaussing and executing the firmware Secure Erase command (for ATA drives only) are acceptable
methods for purging. Degaussing is exposing the magnetic media to a strong magnetic field in order to disrupt the recorded
magnetic domains. A degausser is a device that generates a magnetic field used to sanitize magnetic media.
Degaussers are rated based on the type (i.e., low energy or high energy) of magnetic media they can purge.
Degaussers operate using either a strong permanent magnet or an electromagnetic coil.
Degaussing can be an effective method for purging damaged or inoperative media, for purging media with exceptionally large storage capacities, or for quickly purging diskettes. [SP 800-36].
DESTROY
There are many different types, techniques, and procedures for media destruction. If destruction is decided on because of the high security categorization of the information, then after the destruction, the media should be able to withstand a laboratory attack.
- Disintegration, Pulverization, Melting, and Incineration - These sanitization methods are designed to completely destroy the media. They are typically carried out at an outsourced metal destruction or licensed incineration facility with the specific capabilities to perform these activities effectively, securely, and safely.
- Shredding - Paper shredders can be used to destroy flexible media such as diskettes once the media are physically removed from their outer containers. The shred size of the refuse should be small enough that there is reasonable assurance in proportion to the data confidentiality that the data cannot be reconstructed.
Optical mass storage media, including compact disks (CD, CD-RW, CD-R, CD-ROM), optical disks (DVD), and MO disks, must be destroyed by pulverizing, crosscut shredding or burning. When material is disintegrated or shredded all residues must be reduced to nominal edge dimensions of five millimeters and surface area of twenty-five square millimeters.
The DoD 5220.22-M method for data erasure first appeared in the early days of the data sanitization industry. When it was published by the U.S. Department of Defense (DoD) in the National Industrial Security Program Operating Manual (also known as “NISPOM,” “NISP Operating Manual,” or Department of Defense document #5220.22-M), it specified a process of overwriting hard disk drives (HDDs) with patterns of ones and zeros. The process required three secure overwriting passes and verification at the end of the final pass. This was in 1995, before the debut of smartphones and the widespread use of flash-based storage technologies.
In 2001, a DoD memo specified additional overwriting and verification methods that became accepted as part of the “standard.” The DoD 5220.22-M ECE method is an extended (7-pass) version of the DoD 5220.22-M. It runs the DoD 5220.22-M twice, with an extra pass (DoD 5220.22-M (C) Standard) sandwiched in between.
However, the latest version of the DoD 5220.22-M “standard,” hasn’t specified an overwriting pattern for erasing hard drives since at least 2006, though the 3-pass method is still standard practice when implemented.
In the most recent update, which occurred in 2021, the NISP Operating Manual became effective as a federal rule. Referred to as the “NISPOM rule,” it replaces the NISPOM previously issued as a DOD policy and, again, never specifies a method of data sanitization. Instead, it refers contractors to other government organizations (Cognizant Security Agencies, or CSAs).
Despite the absence of a current data erasure specification, the older 3-pass DoD 5220.22-M sanitization method is still one of the most common sanitization methods used in data destruction software, and in general, is often perceived as an industry standard in the U.S.
Today, DoD 522.22-M is readily available as a data wiping option, but has been superseded by other data sanitization standards such as those from the National Institute for Standards and Technology: NIST 800-88 Clear and NIST 800-88 Purge.
The DoD method is no longer recommended best practice but can be effective in some instances. It can sometimes also be required by your organization’s policies or other regulations. Increasingly, however, organizations are using NIST 800-88 sanitization methods to prevent unauthorized access of data and sanitize their data storage devices.
If your drives are no longer required, another method to achieve data sanitization is physical destruction through melting, crushing, incineration or shredding.
Physical destruction is not ideal if you want to reuse your drives, as they’ll be completely destroyed, but even this method isn’t necessarily absolute. If any disk pieces remain large enough after destruction (especially on SSDs), they can still contain recoverable information. Data erasure software, however, doesn’t leave information behind, and the disks can be reused after they’re erased preserving costs.
Whichever method you choose, whether it be physical destruction or data erasure software or both, your organization must first have policies in place to govern hard drive disposal and data sanitization for other IT assets, including servers, laptops and removable media. These policies should include training for employees so that they can take proven steps to keep data out of harm’s way. The U.S. Federal Trade Commission’s Fair and Accurate Credit Transactions Act (FACTA) rule is one of the many regulations that governs the proper storage and disposal of specific consumer information and requires that such information is disposed of properly.
The best way to ensure data removal for the highest security environments is to combine software-based data erasure with physical destruction. That way, there’s absolutely no chance the data can be recovered from any fragments because it has been removed completely.
In the IT asset disposition (ITAD) space, operators and customers often cite a “DoD certification,” but the reality is that no such certification exists. Instead, the U.S. Department of Defense adheres to NIST 800-88 Guidelines for Media Sanitization. However, even this is a guideline, not a certification. And, as previously mentioned, most government and other regulations and certification programs now cite NIST SP 800-88 media erasure guidelines not DoD 5220.22-M.
Guidelines For Media Sanitization
- ISO 10116: Information Processing — Modes of Operation for an n-bit block cipher algorithm.
- ISO 9798-2: Information technology — Security technicues — Entity authentication mechanisms — Part 2: Entity authentication using symmetric techniques.
Relationship To Government Publishing
- TITLE 50 - WAR AND NATIONAL DEFENSE.
- TITLE 44 - PUBLIC PRINTING AND DOCUMENTS.
- CHAPTER 35 - COORDINATION OF FEDERAL INFORMATION POLICY.
- NSC-63 - PRESIDENTIAL DECISION DIRECTIVE/NSC-63 (PDD-63 1998 г., Hspd-8 2003 г.).
- H.R.145 - 100th Congress (1987-1988).
- NSDD 145 - National Security Decision Directive.
- 10450 - Security requirements for government employees.
- 10501 - Safeguarding official information in the interests of the defense of the United States.
- 10865 - Safeguarding classified information within industry.
- 12829 - National industrial security program.
- 12968 - Access to classified information.
USA Standards
- Encryption - Data Encryption Standard (DES) - FIPS 46-3.
- Encryption - DES Modes of Operation - FIPS 81.
- Encryption - Advanced Encryption Standard (AES) - FIPS 197 (with keys sizes of 128 and 256 bits).
- Hashing - Advanced Encryption Standard (AES) - FIPS 197 (with keys sizes of 128 and 256 bits).
- Guidelines on Electronic - Advanced Encryption Standard (AES) - FIPS 197 (with keys sizes of 128 and 256 bits).
Rules For The Protection Personal Data
- Privacy Act of 1974 - Privacy Act of 1974.
- Privacy Act of 1980 - Privacy Protection Act of 1980.
- Directive 95/46/EC - Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995.
- DProtection - Data Protection of personal data in the European Union.
- Directive 95/46/EC - Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995.
- Safeguarding privacy in a connected world - A Europe Data Protection Framework for the 21 century.
- General Data Protection Regulation - (EU) 2016/679 ("GDPR").
Relationship To Other NIST Documents
- NIST SP 800-60, (Guide for Mapping Types of Information and Information Systems to Security Categories) provides guidance for establishing the security categorization for a system’s confidentiality. This categorization will impact the level of assurance an organization should require in making sanitization decisions.
- FIPS 200, (Minimum Security Requirements for Federal Information and Information Systems) sets a base of security requirements that requires organizations to have a media sanitization program.
- NIST SP 800-53, (Recommended Security Controls for Federal Information Systems) provides minimum recommended security controls, including sanitization, for Federal systems based on their overall system security categorization.
- NIST SP 800-53A, (Guide for Assessing the Security Controls in Federal Information Systems) provides guidance for assessing security controls, including sanitization, for federal systems based on their overall system security categorization.