Understanding DOD vs. NIST vs. IEEE Requirements for Data Destruction

Choosing the right data destruction guideline to abide by can be difficult. The three main ITAD guidelines currently in use are DoD 5220.22-M, NIST 800-88 and IEEE 2883-2022. DoD 5220.22-M and NIST 800-88 were created by the government, for the government, before being picked up by the private sector; and IEEE, the newest guideline, was created for the private sector alone. This blog post is an excerpt of our e-book and will cover process, limitations and environmental effects of these methods.

The way organizations destroy hardware is governed by the guidelines set by the DoD, NIST and IEEE, but the processes and methods vary depending on which is used.

The NISPOM standard, like DoD 5220.22, does not lay out detailed guidelines for the data destruction process, saying only that classified information shall be destroyed completely in a way that prevents recognition or reconstruction in accordance with methods prescribed, including burning, cross-cut shredding, wet-pulping, melting, mutilation, chemical decomposition or pulverizing. For more detailed instructions, it refers readers to other government organizations.

Unlike NISPOM, NIST 800-88 gives more detailed instructions, providing guidance for different types of devices as well as providing a philosophy on data destruction. It establishes a framework of Clear, Purge and Destroy and provides a range of methods depending on the classification of the data. For data that is not sensitive, clearing the device with a factory reset is fine. Purging is more intense, using cryptographic erasure methods or degaussing, but it usually allows the device to be reused. Destroying the device typically involves shredding, disintegration, pulverizing or incineration.

Like NIST 800-88, IEEE 2883-2022 provides a framework of Clear, Purge and Destruct which, while similar, has several key differences. Clearing is pretty much the same, but purging techniques must leave the device in a state where it can be reused. Destruction also differs from NIST, only accepting the methods of melting, incineration and degaussing. IEEE provides media- and interface-specific techniques, providing more comprehensive instructions than NISPOM, and it also includes instructions for data-bearing devices that were not covered under NIST.

Reuse is greener than recycling, and for those who value their sustainability initiatives—and who plan to remarket their used hardware—having a sustainable ITAD process is important.

NISPOM, like DoD 5220.22-M before it, does not take a stance on sustainability initiatives. Its guidance for more passes during wipes wears out the storage devices more quickly, but its policies often allow for equipment reuse.

NIST 800-88 also has no statement on sustainability, but clearing and purging often allow for equipment reuse. Clear and purge methods may be more appropriate than destroying data-bearing devices when factoring in environmental concerns, the desire to reuse the media (either within the organization or by selling or donating the media), or the cost of media devices.

IEEE 2883-2022 is clear about its intentions regarding sustainability, preferring equipment to be kept in a reusable state whenever possible. However, its destruction methods exclude shredding and crushing, popular methods for data destruction that allow for material recovery. Instead, IEEE 2883-2022 calls for melting and incineration which require more energy and do not allow for any material recovery.

The trend in hardware disposal and data sanitization is toward risk-based security rather than compliance-based. This philosophy helps to keep data secure, no matter where it is housed. However, each method is limited by the time in which it was written, and they may not have guidelines that advise how to sanitize equipment produced after their publication.

NISPOM, for example, does not give clear instructions about data destruction and pushes users to look at other government sites. It does not mention devices in particular or give examples of effective methods.

NIST 800-88 gives clearer data about hardware, providing helpful charts about what methods should be used for different types of equipment. It is also clear about providing verification that equipment has been sanitized. However, its specificity causes problems with equipment that is not mentioned. For certain types of equipment, it gives no middle option between clearing and destroying, which some may find confusing or limiting.

IEEE 2883-2022 is the only standard discussed that is not government-sponsored. It aims to be even more specific than NIST 800-88, and while this is helpful now, it may cause it to age more quickly. It considers crushing and shredding to be ineffective forms of data destruction, preferring the more expensive and wasteful melting and incineration. Though documentation is encouraged, IEEE 2883-2022 does not require documentation, which may cause inefficiencies in verification. Quality ITAD providers will generate these documents for you anyway upon request.

Sorting through the different guidelines governing data destruction can be difficult, below is a chart summarizing the sections above.

NISPOM, NIST and IEEE guidelines all offer guidance for organizations looking to safely dispose of data. To ensure alignment with data sanitization best practices, many organizations turn to ITAD providers. ITAD providers provide data sanitization, destruction, ewaste management, and equipment and materials recovery for businesses across all industries.

CentricsIT has more than 17 years of global ITAD experience, offering sustainable and secure ITAD services. Our team prioritizes customer service and making the ITAD process as simple—and secure—as possible. We maintain multiple certifications, including ISO 9001, ISO 14001, ISO 45001 and R2v3 to demonstrate our commitment to our clients, our employees and the environment.

For more information about ITAD standards and services, download the e-book or contact our team.