DoD 5220.22-M and its relation to
the so-called DoD Wipe Standard

Compiled by Daniel B. Sedory
All Original Research is Copyright©2008 by Daniel B. Sedory

( We've attached some of these notes to the Discussion page of the
National Industrial Security Program article in "Wikipedia, the free
encyclopedia" -- click on the "article" TAB at the top to read the article. )

Where did the so-called 7-pass DoD 5220.22-M Wipe Standard originate?

Technically, DoD 5220.22-M, the NISP (National Industrial Security Program) Operating Manual (or NISPOM), never addressed any specific overwriting procedures itself; it merely mentions the clearing and sanitization of media in section 8.301 (see below) without any examples of how to carry out those guidelines. However, the 1995 and 1997 editions of NISPOM did include a table from the Defense Security Service (DSS) titled Clearing and Sanitization Matrix (C&SM)^[1] which did specify various methods for handling all sorts of media; including hard disks. But, as of the June 28, 2007 edition, "Overwriting is no longer acceptable for sanitization of magnetic media; only degaussing or physical destruction."^[2]

While researching this material, we came across an old paper from the National Computer Security Center at the Federation of American Scientists (FAS) archive of the "NSA Rainbow Series and Related Documents" which mentions an overwrite process in A Guide to Understanding Data Remanence in Automated Information Systems.^[3] Similar language is also found in the ODAA Process Guide's Appendix O^[4], in the section Overwriting; though it presently "refers to sanitization procedures not associated with fixed/rigid media to render such media unclassified." In part, it states: "the contractor must develop an alternative procedure, such as a three-time overwrite, for the media. The passes that are developed must be a character, its complement, and then a third pass with random characters."^[5] But even here the guide now adds, "This process will only be utilized as a clearing action and the media must be safeguarded at the TOP SECRET level. When the media is no longer needed, it must be destroyed."

 

An Important Clue?

When reading about Symantec Corporation's GDisk (which may be included with present-day Symantec Ghost products), we discovered this utility has a switch called "/dod" which performs a hard disk wiping action as described in their document, GDisk Disk Wipe Specifications^.[6] While reading this document, you can see its author(s) present the contents of the Clearing and Sanitization Matrix table found in the January 1995 editon of NISPOM (where it was inserted between sections "8-306. Maintenance" and "8-400. Networks" of that edition; note that contrary to some popular comments on the web, it had nothing to do with section 8-306 having been merely placed there out of convenience for page layout) as pertaining only to magnetic disks; there are many other media present in the original table. They very clearly show that apart from degaussing, the action for clearing a disk is stated in note "c: Overwrite all addressable locations with a single character," and the sanitization of a disk can be carried out using either note "d: Overwrite all addressable locations with a character, its complement, then a random character and verify [Note: This method is not approved for sanitizing media that contains top secret information.]" or note "m: Destroy (disintegrate, incinerate, pulverize, shred, or melt)." Yet on page 3, after appearing to indicate that GDisk follows the DSS Matrix note d. (it states, "GDisk performs a sanitize operation, as defined by action d, when performing a disk wipe operation with the /dod command modifier."), this document then makes a fantastic leap into the next phrase which says, "The following cycle occurs six times:" Where in any of the DoD or DSS literature did that come from!? And if you took that phrase logically, after examining the next four points in the document, you'd have to conclude that the GDisk utility performs a ridiculous number of wipe passes! (Six times the four items would equal twenty-four; 6 x 4 = 24, for 24 passes.) The items in the list are:

• All addressable locations are overwritten with 0x35.


• All addressable locations are overwritten with 0xCA.


• All addressable locations are overwritten with a pseudo-random character.


• All addressable locations are verified in hardware using the Verify Sectors
  command to the disk.

Note that last item. It's a verification that carrying out the first three items does indeed end up writing a "pseudo-random character" everywhere on the disk. If we suppose that the first three items must be done six times, then perhaps you mgiht want to verify that each cycle was performing correctly. But our reading of the original DSS document says that only three passes followed by a verification are necssary! We are going to examine this utility in detail and report back here as to the exactl nature of its actions for a /dod wipe, so keep asking us for it if you don't see this soon.

With GDisk's very odd six cycle interpretation of the DSS's straightforward description of three overwrite passes plus a verification pass, is it any wonder that other companies decided to come up with their own interprestations of what a "DoD Wipe" consists of? The most prevelant actions we've seen in a cursory survey of wiping software and hardware available on the Net often describes a 'DoD wipe' as three cycles of alternating patterns of 0x00 and 0xFF, followed by an 0xF6 byte pattern for a total of seven passes. But, as the DSS and other security organizations have pointed out, they rarely include a verification pass!

 

CAN YOU ANSWER THE QUESTION? Where did the 7-pass overwrite come from?

 

The NISP Operating Manual (the real DoD 5220.22-M Specifications)

The NISPOM^[7] establishes the standard procedures and requirements for all government contractors, with regards to classified information. As of July, 2008, the current NISPOM is still dated 28 Feb 2006. Although the following list does contain all of the chapter headings, only some of the chapter sections from this edition have been selected for the purpose of this paper; which is to show in detail the only sub-section paragraphs (in full, or just their titles in bolded print) that could possibly contain any information related to the wiping or destruction of a hard disk). In particular, note Section 8-301 (page 8-3-1):

• Chapter 1 - General Provisions and Requirements
• Chapter 2 - Security Clearances
  • Section 1 - Facility Clearances
  • Section 2 - Personnel Security Clearances
  • Section 3 - Foreign Ownership, Control, or Influence (FOCI)
• Chapter 3 - Security Training and Briefings
• Chapter 4 - Classification and Marking
• Chapter 5 - Safeguarding Classified Information
  • Section 1. General Safeguarding Requirements
  • Section 2. Control and Accountability
  • Section 3. Storage and Storage Equipment
  • Section 4. Transmission
  • Section 5. Disclosure
  • Section 6. Reproduction
  • Section 7. Disposition and Retention
    • 5-700. General
    • 5-701. Retention of Classified Material
    • 5-702. Termination of Security Agreement
    • 5-703. Disposition of Classified Material Not Received Under a Specific Contract
    • 5-704. Destruction
    • 5-705. Methods of Destruction
    • 5-706. Witness to Destruction
    • 5-707. Destruction Records
    • 5-708. Classified Waste
  • Section 8. Construction Requirements
  • Section 9. Intrusion Detection Systems
• Chapter 6 - Visits and Meetings
• Chapter 7 - Subcontracting
• Chapter 8 - Information System Security
  • Section 1. Responsibilities and Duties
  • Section 2. Certification and Accreditation
  • Section 3. Common Requirements
    • 8-300. Introduction
      
      
    • 8-301. Clearing and Sanitization   Instructions on
      clearing, sanitization and release of IS media shall be
      issued by the accrediting CSA.
      
      [Editor's note: CSA is the "Cognizant Security Agency (CSA). Agencies of the Executive Branch that have been authorized by reference (a) to establish an industrial security program to safeguard classified information under the jurisdiction of those agencies when disclosed or released to U.S. Industry. These agencies are: The Department of Defense, DOE, CIA, and NRC." (NISPOM, February 28, 2006 Edition, Appendix C, Definitions, Page C-2.)].
      
           a. Clearing.   Clearing is the process of
      eradicating the data on media before reusing the
      media in an environment that provides an acceptable
      level of protection for the data that was on the media
      before clearing. All internal memory, buffer, or other
      reusable memory shall be cleared to effectively deny
      access to previously stored information.
      
           b. Sanitization.   Sanitization is the process of
      removing the data from media before reusing the
      media in an environment that does not provide an
      acceptable level of protection for the data that was in
      the media before sanitizing. IS resources shall be
      sanitized before they are released from classified
      information controls or released for use at a lower
      classification level.
      
      [ Editor's Note: The words Sanitization and sanitize as used by the DSS and other government agencies have effectively become synonyms for "destruction" and "destroy" since the DSS no longer approves any overwriting procedures for the downgrading of classified material.]
      
      
    • 8-302. Examination of Hardware and Software
    • 8-303. Identification and Authentication Management
    • 8-304. Maintenance
    • 8-305. Malicious Code
    • 8-306. Marking Hardware, Output, and Media
    • 8-307. Personnel Security
    • 8-308. Physical Security
    • 8-309. Protection of Media
    • 8-310. Review of Output and Media
    • 8-311. Configuration Management
  • Section 4 - Protection Measures
  • Section 5 - Special Categories
  • Section 6 - Protection Requirements
  • Section 7 - Interconnected Systems
• Chapter 9 - Special Requirements
  • Section 1 - RD and FRD
  • Section 2 - DoD Critical Nuclear Weapon Design Information (CNWDI)
  • Section 3 - Intelligence Information
  • Section 4 - Communication Security (COMSEC)
• Chapter 10 - International Security Requirements
• Chapter 11 - Miscellaneous Information
  • Section 1 - TEMPEST
  • Section 2 - Defense Technical Information Center (DTIC)
  • Section 3 - Independent Research and Development (IR&D) Efforts
• Appendices

 

References

1. ^ DSS Clearing & Sanitization Matrix June 28, 2007 edition (retrieved on 2008-06-14; size: 90,386 bytes).



2. ^ The DSS Clearing and Sanitization Matrix (Updated June 28, 2007), end of second paragraph, states:
   "Effective immediately, DSS will no longer approve overwriting procedures for the sanitization or downgrading (e.g. release to lower level classified information controls) of IS storage devices (e.g., hard drives) used for classified processing."



3. ^ A Guide to Understanding Data Remanence in Automated Information Systems, Reveision 2, September 1991 . National Computer Security Center. (retrieved from the Federation of American Scientists (FAS) web site on 2008-06-15). We quote the relevant section in full:
   
   "5.1.1 OVERWRITING
   Overwriting is a process whereby unclassified data are written to storage locations that previously held sensitive data. To satisfy the DoD clearing requirement, it is sufficient to write any character to all data locations in question. To purge the AIS storage media, the DoD requires overwriting with a pattern, then its complement, and finally with another pattern; e.g., overwrite first with 0011 0101 [35h], followed by 1100 1010 [CBh], then 1001 0111 [97h]. The number of times an overwrite must be accomplished depends on the storage media, sometimes on its sensitivity, and sometimes on differing DoD component requirements. In any case, a purge is not complete until a final overwrite is made using unclassified data."
   
   Note that the hexadecimal byte patterns in the quote above were merely given as an example by the NCSC; yet these same exact bit patterns were used by Symantec for their GDisk utility (see text in body of article).
   
   
4. ^ Quote from: Office of the Designated Approving Authority (ODAA) Process Guide For Certification and Accreditation Of Classified Systems under the National Industrial Security Program Operating Manual (NISPOM) Revised May, 2008; Revision 2008.1 Appendix O, page O-5, first paragraph. DSS. May, 2008
(retrieved on 2008-06-14; size: 2,021,899 bytes).


5. ^ Quote from: Office of the Designated Approving Authority (ODAA) Process Guide For Certification and Accreditation Of Classified Systems under the National Industrial Security Program Operating Manual (NISPOM), Appendix O, page O-5, last sentence.
   
   [ Note: For the NSA, this has always been the case. Even the National Computer Security Center's almost 20-year-old paper cited as 3. above, A Guide to Understanding Data Remanence in Automated Information Systems, Revision 2 (1991) already stated in section 4.6 (OVERWRITE SOFTWARE AND PURGING): "If any errors occur while overwriting or if any unusable sector could not be overwritten, then degaussing is required." The reasoning is that no matter how slight the chance may be, if that data cannot be verifiably overwritten, then it could still possibly be read by unauthorized parties. Section 4.4 (STORAGE DEVICE SEGMENTS NOT RECEPTIVE TO OVERWRITE) of the same paper elaborates on this: "A compromise of sensitive data may occur if media is released when an addressable segment of a storage device (such as unusable or 'bad' tracks in a disk drive or inter-record gaps in tapes) is not receptive to an overwrite. As an example, a disk platter may develop unusable tracks or sectors; however, sensitive data may have been previously recorded in these areas. It may be difficult to overwrite these unusable tracks. Before sensitive information is written to a disk, all unusable tracks, sectors, or blocks should be identified (mapped). During the life cycle of a disk, additional unusable areas may be identified. If this occurs and these tracks cannot be overwritten, then sensitive information may remain on these tracks. In this case, overwriting is not an acceptable purging method and the media should be degaussed or destroyed." ]



6. ^ GDisk disk wipe specifications Symantec Corporation (retrieved on 2008-07-13; size: 101,827 bytes).



7. ^ NISPOM . Current 28 Feb 2006 edition. (retrieved as a PDF document on 2008-06-14; size: 2,014,780 bytes, from the DSS).