Data Destruction 8 min read Published March 2026

When you ask an ITAD provider how they destroy data, one of two standard names will almost certainly come up: NIST 800-88 or DoD 5220.22-M. Both are legitimate data destruction frameworks. But they are not equally current, equally applicable, or equally effective for modern storage media.

Here's what you actually need to know about each one — and how to decide what your organization should require.

What Is DoD 5220.22-M?

DoD 5220.22-M is a section of the National Industrial Security Program Operating Manual, a publication from the US Department of Defense that governs the handling of classified information by contractors. The data sanitization guidance within it — originally specifying a 3-pass or 7-pass overwrite procedure — became widely referenced in the commercial ITAD space through the 1990s and 2000s.

The appeal was simple: it came from the Department of Defense, which lent it an air of rigor and authority that resonated with corporate security and compliance teams.

There is, however, a problem: the DoD no longer officially references 5220.22-M as its standard for data sanitization. The DoD updated its media sanitization guidance to align with NIST 800-88 over a decade ago. Many ITAD providers continue to advertise "DoD 5220.22-M wiping" because customers recognize the name — not because it represents current best practice.

What Is NIST 800-88?

NIST Special Publication 800-88, Guidelines for Media Sanitization, is published by the National Institute of Standards and Technology. It is the primary media sanitization standard referenced by US federal agencies, and it forms the basis of data destruction requirements in HIPAA, FISMA, PCI DSS, and many other compliance frameworks.

Rather than prescribing a single overwrite method, NIST 800-88 establishes a three-tier sanitization model based on the sensitivity of the data and the intended disposition of the media:

  • Clear: Software-based overwrite of user-addressable storage space. Appropriate for lower-sensitivity data on reusable media.
  • Purge: More thorough sanitization using degaussing, cryptographic erasure, or advanced overwrite techniques. Protects against laboratory-level recovery attempts. Appropriate for sensitive data.
  • Destroy: Physical destruction — shredding, disintegration, incineration, or pulverizing — that renders the media completely unusable. Required for the highest-sensitivity data or for media being permanently retired.

This tiered model is more nuanced and more practically useful than a blanket multi-pass overwrite requirement.

The Critical Difference: Solid-State Drives

The most important practical distinction between these standards is how they handle solid-state drives (SSDs).

Multi-pass overwriting — the core method behind DoD 5220.22-M — was designed for traditional spinning hard drives (HDDs). On an HDD, overwriting every sector multiple times effectively renders data unrecoverable.

SSDs work differently. Because of a technology called wear leveling, an SSD's controller deliberately distributes writes across available storage cells to extend drive lifespan. This means software overwrite commands do not necessarily reach every physical storage location where your data may reside. A multi-pass overwrite on an SSD may leave data fragments in areas the overwrite never reached.

Bottom line on SSDs: Multi-pass software overwrite is not a reliable data destruction method for SSDs. NIST 800-88 explicitly addresses this — recommending cryptographic erasure (where the encryption key is destroyed, rendering all data undecipherable) or physical destruction for SSDs in sensitive environments.

An ITAD provider offering only "DoD 5220.22-M" wiping may be applying an HDD-era overwrite process to your SSDs — which is not adequate for secure data destruction.

What Compliance Frameworks Actually Require

If you operate in a regulated industry, here is how the major frameworks align:

  • HIPAA: Requires that ePHI be rendered "unreadable, indecipherable, and otherwise cannot be reconstructed." NIST 800-88 is the recognized standard for meeting this requirement.
  • FISMA / FedRAMP: Explicitly references NIST 800-88.
  • PCI DSS: Requires that cardholder data be rendered "unrecoverable." NIST 800-88 is the accepted benchmark.
  • SOX: No specific sanitization standard, but NIST 800-88 satisfies due diligence requirements for financial records protection.

None of these frameworks require DoD 5220.22-M specifically. Most have adopted or aligned with NIST 800-88 because it is more technically current and media-agnostic.

When Does DoD 5220.22-M Still Matter?

There are still scenarios where specifying DoD 5220.22-M is appropriate:

  • Your organization is a DoD contractor with a contract that explicitly references the standard by name
  • A specific government agency you work with has not updated its sanitization requirements and still references it in its policies
  • You are dealing exclusively with traditional HDDs in a non-SSD environment

Outside of these situations, defaulting to NIST 800-88 is the correct choice — and any modern ITAD provider should be familiar with both.

What to Ask Your ITAD Provider

When evaluating an ITAD provider's data destruction practices, ask these questions:

  • Do you follow NIST 800-88 for media sanitization?
  • How do you handle SSDs — do you perform cryptographic erasure or physical destruction?
  • Do you issue per-device certificates of destruction that specify the sanitization method used?
  • Are your data destruction technicians NAID AAA certified?

If a provider responds with "we do DoD 7-pass wiping on everything" and cannot speak to SSD-specific handling or NIST 800-88 compliance, that is a signal that their processes have not kept pace with how modern storage media actually works.

RenewIT Resources connects organizations with certified ITAD providers that follow current NIST 800-88 guidance and provide per-device destruction certificates for every storage device processed — HDD and SSD alike.
← Back to Resources Get a free ITAD consultation