Two data erasure standards dominate the conversation around wiping drives: DoD 5220.22-M and NIST 800-88. If you are choosing between them — for a corporate policy, a compliance requirement, or just deciding how to erase a personal hard drive — the answer is straightforward. One is obsolete and abandoned by its own creators. The other is the current standard used by the federal government and referenced by virtually every major compliance framework. Here is the full comparison so you can make the switch with confidence.
Key Takeaways:
- NIST 800-88 Rev. 2 is the current standard — use it for all data erasure decisions in 2026
- DoD 5220.22-M is obsolete and no longer referenced by the Department of Defense itself
- A single NIST-compliant overwrite pass provides identical security to a DoD 3-pass or 7-pass wipe on modern drives
- DoD 5220.22-M has no guidance for SSDs, NVMe, or any modern storage technology — NIST 800-88 covers them all
- Updating your policies from DoD to NIST is a straightforward process that saves time and improves compliance posture
A Brief History of Each Standard
Understanding why NIST replaced DoD starts with understanding where each standard came from and what problem it was designed to solve.
DoD 5220.22-M (1995–2021)
DoD 5220.22-M was the document identifier for the National Industrial Security Program Operating Manual (NISPOM), published by the Department of Defense in 1995. The full document governed how defense contractors handled classified information — physical security, personnel clearances, information systems, and media sanitization were all covered within its pages.
The data erasure component was a clearing and sanitization matrix buried inside a broader security manual. It specified multi-pass overwrite patterns for magnetic storage media: write a character, write its complement, write random data, verify after each step. The industry extracted this procedure and turned "DoD 5220.22-M" into a standalone brand name for data wiping — even though the original document was never designed to be a data erasure standard in isolation.
For a deeper look at the original standard, see our full DoD 5220.22-M explainer.
NIST 800-88 (2006–Present)
NIST Special Publication 800-88, "Guidelines for Media Sanitization," was first published in 2006 by the National Institute of Standards and Technology. Unlike the DoD standard, NIST 800-88 was purpose-built as a data sanitization framework from the start. Revised to Rev. 1 in 2014 and updated to Rev. 2 in September 2025, it reflects decades of research into data recovery, storage technology evolution, and practical sanitization needs.
NIST 800-88 introduced a risk-based approach with three sanitization levels — Clear, Purge, and Destroy — each calibrated to the sensitivity of the data and the sophistication of potential recovery attempts. It also provided specific guidance for different media types, something the DoD standard never attempted.
For a complete breakdown, read our NIST 800-88 guide.
Head-to-Head Comparison
Here is how the two standards stack up across every dimension that matters for choosing a data erasure approach.
Approach to Erasure
DoD 5220.22-M prescribes a fixed recipe. Every drive gets the same treatment: 3 overwrite passes (or 7, depending on the variant), in a specific pattern, with verification after each pass. There is no adjustment for data sensitivity, media type, or what happens to the drive afterward. A laptop being reassigned to a colleague and a server destined for third-party recycling both get the same procedure.
NIST 800-88 takes a risk-based approach. It asks you to evaluate the data sensitivity, the media type, and the drive's future disposition before selecting a sanitization level:
- Clear — Protects against recovery using standard software tools. A single overwrite pass with verification on an HDD. Appropriate for drives staying within your organization.
- Purge — Protects against laboratory-level recovery attempts. Requires firmware-level commands for SSDs. Appropriate for drives leaving your control.
- Destroy — Physical destruction. Appropriate for the most sensitive data or end-of-life media.
This flexibility means you do not waste hours on overkill procedures when they are not needed, and you do not under-sanitize when the risk warrants a higher level of treatment.
Overwrite Passes Required
DoD 5220.22-M: 3 passes (standard variant) or 7 passes (ECE variant). Each pass writes a specific pattern — character, complement, random — with verification.
NIST 800-88: 1 pass for Clear-level sanitization on HDDs. A single write of a fixed value (such as all zeros) followed by verification.
The practical impact is significant. On a 1 TB hard drive, a single-pass NIST Clear overwrite takes roughly 2–4 hours. A DoD 3-pass overwrite takes 6–12 hours. A 7-pass overwrite takes 14–28 hours. For organizations wiping drives at scale — dozens or hundreds at a time — the time savings from switching to NIST are measured in days of equipment and staff time per batch.
Is there a security trade-off for those saved hours? No. Research consistently shows that a single overwrite pass renders data on modern HDDs unrecoverable using any known technique. The additional passes in DoD 5220.22-M do not add protection — they were designed for 1990s drive technology with much lower areal densities. For the full research behind this, see our article on how many overwrite passes are actually needed.
Coverage of Modern Storage Technologies
DoD 5220.22-M: Covers magnetic hard drives only. The standard was written when HDDs were the dominant storage medium and SSDs did not exist in consumer or enterprise markets. It provides zero guidance for solid-state drives, NVMe drives, flash storage, or self-encrypting drives. Applying its overwrite method to an SSD does not reliably erase all data because of wear leveling and over-provisioning — the controller redirects writes away from some flash cells, leaving original data intact in areas software cannot reach.
NIST 800-88 Rev. 2: Provides specific sanitization guidance for HDDs, SSDs (SATA and NVMe), USB flash drives, SD cards, magnetic tape, optical media, and self-encrypting drives. For SSDs, it specifies firmware-level Purge commands — ATA Secure Erase, NVMe Sanitize (Block Erase or Crypto Erase), or cryptographic erase — rather than overwriting. It aligns with the IEEE 2883 standard, which provides additional implementation detail for storage device sanitization.
This difference alone makes the choice clear. If your environment includes any SSDs — and in 2026, it almost certainly does — DoD 5220.22-M has nothing useful to offer you.
Bottom Line: NIST 800-88 is superior to DoD 5220.22-M in every measurable way: it is current, risk-based, covers all modern media types, requires less time, and is endorsed by the DoD itself. There is no scenario in 2026 where choosing DoD 5220.22-M over NIST 800-88 makes technical sense.
Verification Requirements
DoD 5220.22-M: Requires verification after each overwrite pass — confirming the pattern was written successfully across the entire drive surface.
NIST 800-88: Requires verification as an integral part of the sanitization process. For Clear, this means sampling sectors to confirm the overwrite was successful. For Purge, verification confirms the firmware-level command completed. Rev. 2 strengthened verification requirements and provides clearer guidance on what constitutes adequate verification at each level.
Both standards treat verification as mandatory, which is the correct approach. An unverified wipe is an incomplete wipe.
Regulatory Acceptance
DoD 5220.22-M: No longer referenced by the DoD since the transition to 32 CFR Part 117 in February 2021. Not specifically named in HIPAA, GDPR, PCI DSS, SOX, or CMMC. An auditor presented with DoD 5220.22-M as your erasure method will likely accept it for HDDs — the data will be erased — but may flag that your policy is outdated.
NIST 800-88: Referenced or accepted by virtually every major compliance framework. HIPAA, CMMC, FedRAMP, and most federal agency policies either mandate or strongly recommend following NIST 800-88. GDPR and PCI DSS require appropriate data destruction without naming a specific standard, and NIST 800-88 is the most broadly accepted way to demonstrate compliance. Using NIST 800-88 is the path of least resistance with auditors and compliance officers.
Certification and Documentation
DoD 5220.22-M: The original standard did not specify a format for erasure certificates or compliance documentation. Any reporting was handled through the broader NISPOM security framework.
NIST 800-88: Emphasizes documentation as a key component of the sanitization process. Professional tools that follow NIST 800-88 generate detailed certificates of erasure capturing the method used, verification results, drive serial numbers, timestamps, and the sanitization level achieved. These certificates are exactly what auditors and compliance officers want to see.
Why DoD 5220.22-M Refuses to Die
If the DoD itself abandoned this standard years ago, why does it still dominate search results, product feature lists, and corporate policies? Three forces keep it alive.
Marketing Momentum
"Department of Defense" is one of the most recognizable brands in security. When erasure software lists "DoD 5220.22-M" as a supported method, it implies a level of rigor that resonates with buyers. "NIST 800-88 Clear" does not carry the same visceral weight, even though it is the technically superior approach. Software vendors keep listing DoD support because it sells — and because removing it would make their feature comparison charts look thinner against competitors who still list it.
Policy Inertia
Updating organizational policies is slow work. A data destruction policy written in 2015 that references DoD 5220.22-M requires review, revision, approval, and redistribution. In large organizations — especially government agencies and defense contractors — this process can take months or years. Meanwhile, IT teams continue following the documented policy because that is what they are required to do, even if everyone involved knows it is outdated.
The Myth of "More Passes = More Secure"
The intuition that three overwrites must be more thorough than one is hard to shake, even when the evidence says otherwise. People apply the logic of physical cleaning — scrubbing something three times leaves it cleaner than scrubbing once — to data erasure, where it does not apply. On a modern hard drive, one overwrite pass leaves zero recoverable data. Three passes leave zero recoverable data. The number does not change the outcome. For a thorough debunking, see our article on the myth of the 7-pass wipe.
How to Update Your Policies from DoD to NIST
If your organization's data destruction procedures still reference DoD 5220.22-M, here is a practical roadmap for making the transition.
Step 1: Audit Your Current Policy
Identify every document, procedure, contract, and SLA that references DoD 5220.22-M. This includes IT policies, vendor agreements, data processing addendums, and client contracts. You need a complete inventory before you start making changes.
Step 2: Map DoD Procedures to NIST Levels
Your existing DoD procedures map directly to NIST sanitization levels:
- DoD 3-pass or 7-pass overwrite for internal reuse maps to NIST Clear (single pass with verification). This covers HDDs being reassigned within your organization.
- DoD overwrite for external disposal maps to NIST Purge (firmware-level commands for SSDs, overwrite or Secure Erase for HDDs). This covers drives being sold, donated, recycled, or returned to a lessor.
- Physical destruction maps to NIST Destroy. No change needed here — shredding is shredding.
Step 3: Update Internal Documentation
Replace every reference to DoD 5220.22-M with NIST SP 800-88 Rev. 2. Include the specific sanitization levels (Clear, Purge, Destroy) and the criteria for when each applies. Document the rationale for the change — cite the DoD's own transition to NIST via 32 CFR Part 117 and the DCSA directive.
Step 4: Update Tooling
Ensure your erasure software supports NIST 800-88 sanitization levels and generates compliant certificates. Professional tools like BitRaser support both NIST Clear and Purge methods, issue firmware-level commands for SSDs, and produce detailed certificates of erasure with drive serial numbers, timestamps, and verification results — exactly what you need for audit documentation.
Step 5: Communicate the Change
Brief your IT staff, compliance team, and any relevant stakeholders. The key message is simple: the DoD itself moved to NIST 800-88, and your organization is following suit. This is not a downgrade in security — it is an upgrade to a current standard that saves time and covers modern storage technologies.
Step 6: Address External Contracts
For contracts that specify DoD 5220.22-M, contact the contracting officer or client to discuss updating the requirement. Present NIST 800-88 as the standard the federal government now follows. Most parties will agree to the update once they understand the DoD's own position. Get any changes documented in writing.
When You Might Still Encounter DoD 5220.22-M
Despite being obsolete, DoD 5220.22-M will not disappear overnight. Here are the situations where you might still run into it.
Legacy contracts: Agreements written before 2021 that explicitly name DoD 5220.22-M and have not been amended. You must comply with the contract as written until it is modified, even if the standard is outdated.
Older audit checklists: Some audit firms and internal audit templates still include DoD 5220.22-M as a checkbox. These are typically updated on a rolling basis, but the transition is not complete everywhere.
Software feature lists: Virtually every data erasure product still lists DoD 5220.22-M support. This is a marketing decision, not a technical endorsement. If you select a DoD method in your erasure tool, it will work on an HDD — it just takes longer than a single-pass NIST method.
International organizations: Some non-U.S. organizations and standards bodies still reference DoD 5220.22-M by name, particularly those that adopted it before NIST 800-88 gained international recognition. As awareness of NIST 800-88 Rev. 2 grows, these references are being updated.
In all of these cases, the appropriate response is the same: comply with whatever is currently required, then work to update the requirement to NIST 800-88.
Frequently Asked Questions
Which is better, DoD 5220.22-M or NIST 800-88?
NIST 800-88 is the superior standard by every measure. It is current, covers modern storage technologies like SSDs and NVMe drives, uses a risk-based approach with three sanitization levels, and is endorsed by the DoD itself. DoD 5220.22-M is obsolete — the Department of Defense no longer references it for data sanitization.
Does the DoD still use DoD 5220.22-M for wiping drives?
No. The DoD replaced the original NISPOM (DoD 5220.22-M) with 32 CFR Part 117 in February 2021. The Defense Counterintelligence and Security Agency now directs organizations to follow NIST SP 800-88 for media sanitization. The DoD has formally abandoned its own former standard.
Is DoD 5220.22-M more secure than NIST 800-88?
No. The DoD 3-pass or 7-pass overwrite does not provide any additional security over a single-pass NIST 800-88 Clear overwrite on modern hard drives. Peer-reviewed research confirms that data cannot be recovered after a single overwrite pass. The extra passes in DoD 5220.22-M simply waste time without improving the outcome.
Can I use NIST 800-88 to satisfy a contract that specifies DoD 5220.22-M?
In many cases, yes. Since the DoD itself now follows NIST 800-88, contracting officers will typically accept it as a superior replacement. However, you should get written approval before deviating from a contractual requirement. Present NIST 800-88 as the standard the DoD currently endorses and request a contract modification.
Why do software vendors still advertise DoD 5220.22-M support?
Market demand and brand recognition. The "Department of Defense" label sounds authoritative, thousands of legacy policies still reference the standard, and vendors do not want to appear to have fewer features than competitors. The method still works on HDDs — it just takes longer than necessary. Removing the option could cost sales.
Does either standard work for SSDs?
NIST 800-88 provides specific guidance for SSDs, recommending firmware-level commands like ATA Secure Erase, NVMe Sanitize, or cryptographic erase at the Purge level. DoD 5220.22-M has no SSD guidance — it was designed exclusively for magnetic hard drives. Applying DoD overwrite methods to an SSD does not reliably erase all data due to wear leveling and over-provisioning.
How do I update my data destruction policy from DoD to NIST?
Replace every reference to DoD 5220.22-M with NIST SP 800-88 Rev. 2. Map your current procedures to NIST sanitization levels: if you were doing a 3-pass overwrite for reuse within your organization, NIST Clear (single pass with verification) is the equivalent. For drives leaving your control, use NIST Purge. Document the change, cite the DoD transition to NIST, and get stakeholder sign-off.
Will auditors accept NIST 800-88 instead of DoD 5220.22-M?
Yes. Auditors across HIPAA, PCI DSS, CMMC, and other frameworks accept NIST 800-88 — most already prefer or require it. Since NIST 800-88 is the current standard endorsed by the federal government, an auditor would have no grounds to reject it in favor of an obsolete standard. Ensure you have proper erasure certificates documenting the method, results, and drive details.
How many overwrite passes does each standard require?
DoD 5220.22-M specifies either 3 or 7 overwrite passes depending on the variant. NIST 800-88 requires only a single overwrite pass for Clear-level sanitization on HDDs, with verification. Research shows one pass is sufficient for modern drives, making the additional DoD passes unnecessary time expenditure.
What is the main difference between DoD 5220.22-M and NIST 800-88?
The core difference is approach. DoD 5220.22-M prescribes a fixed overwrite recipe — always 3 or 7 passes, always the same method. NIST 800-88 takes a risk-based approach, matching the sanitization method to the media type, data sensitivity, and future disposition of the device. NIST also addresses modern technologies like SSDs and NVMe that DoD 5220.22-M does not cover at all.
The Bottom Line
NIST 800-88 Rev. 2 is the only data erasure standard you should follow in 2026. The DoD itself abandoned DoD 5220.22-M and now defers to NIST. If your policies still reference the old standard, the transition process is straightforward — map your existing procedures to NIST levels, update your documentation, and start saving hours on every batch of drives you sanitize.
Last updated: February 2026. We regularly review and update our guides to ensure accuracy.
Sources:
- NIST Special Publication 800-88 Rev. 2, Guidelines for Media Sanitization. https://csrc.nist.gov/publications/detail/sp/800-88/rev-2/final
- 32 CFR Part 117, National Industrial Security Program Operating Manual (NISPOM). https://www.ecfr.gov/current/title-32/subtitle-A/chapter-I/subchapter-D/part-117
- Defense Counterintelligence and Security Agency (DCSA), Industrial Security. https://www.dcsa.mil/Industrial-Security/
- Wright, Kleiman, Sundhar. "Overwriting Hard Drive Data: The Great Wiping Controversy." ICISS 2008. https://link.springer.com/chapter/10.1007/978-3-540-89862-7_21
- NIST Computer Security Resource Center, Media Sanitization Publications. https://csrc.nist.gov/topics/security-and-privacy/risk-management/media-sanitization