When it’s time to dispose of old hard drives, IT departments face a critical question: which data destruction standard should we follow? The two most commonly referenced are NIST 800-88 and DoD 5220.22-M. Here’s what Kansas City businesses need to understand.
DoD 5220.22-M: The Legacy Standard
The Department of Defense standard 5220.22-M was published in 1995 as part of the National Industrial Security Program Operating Manual. It specifies a three-pass overwrite pattern: a pass of zeros, a pass of ones, and a pass of random data, with verification after each pass.
For decades, “DoD wipe” became shorthand for “secure erase.” It worked well for the magnetic hard drives of that era. However, the DoD itself no longer recommends this method as the sole standard for media sanitization. The original 5220.22-M has been superseded by NIST 800-88 in most federal and enterprise contexts.
NIST 800-88 Rev. 1: The Current Standard
NIST Special Publication 800-88 Revision 1, published by the National Institute of Standards and Technology, is the current federal standard for media sanitization. It defines three levels of sanitization:
Clear — Overwrites data with a single pass. Protects against simple file recovery tools. Suitable for low-risk reuse scenarios.
Purge — Uses advanced techniques (cryptographic erase, block erase for SSDs, or multi-pass overwrite for HDDs) that make data infeasible to recover even with laboratory equipment.
Destroy — Physical destruction: shredding, disintegration, incineration, or melting. The media is rendered completely unusable and data recovery is impossible.
Why NIST 800-88 Is the Better Choice
NIST 800-88 is superior to DoD 5220.22-M for several reasons:
- It addresses modern media types. DoD 5220.22-M was designed for magnetic HDDs. It doesn’t account for SSDs, flash storage, NVMe drives, or mobile devices — all of which use fundamentally different storage technology. NIST 800-88 provides specific guidance for each media type.
- It’s risk-based. Instead of one-size-fits-all, NIST lets organizations match the sanitization method to the sensitivity of the data — Clear for low-risk, Purge for moderate, Destroy for high-risk.
- It’s the current federal requirement. Most compliance frameworks (HIPAA, FACTA, PCI-DSS, FERPA, SOX) now reference NIST 800-88 rather than DoD 5220.22-M.
- It’s faster. NIST Clear requires only a single overwrite pass for HDDs, compared to three passes for DoD. For organizations processing hundreds or thousands of drives, this saves significant time.
What This Means for Kansas City Businesses
If your organization is retiring IT equipment, here’s the practical takeaway:
- Request “NIST 800-88 compliant” destruction from your recycling or ITAD partner — not just “DoD wipe.”
- For SSDs and flash media, ensure your partner uses methods appropriate for flash storage (cryptographic erase or physical destruction) — not just magnetic overwrite.
- Get Certificates of Destruction that reference the NIST standard and the specific method used (Clear, Purge, or Destroy).
- For high-sensitivity data (healthcare PHI, legal privilege, financial PII), physical destruction is the safest option.
How Computer Recycling LLC Handles Data Destruction
We follow NIST 800-88 Rev. 1 guidelines for all data destruction:
- Software wiping (Clear/Purge level) for drives that will be refurbished
- Physical shredding and drilling (Destroy level) for drives headed for material recovery
- Certificates of Destruction for all business clients — covering Product Destruction, Recycling, and Data Destruction
Contact us for our low-cost data destruction services as part of our electronics recycling and ITAD services. Drop off at 125 E 10th Ave, North Kansas City, MO 64116 or schedule a business pickup.