What Is DoD 5220.22-M?
DoD 5220.22-M is the National Industrial Security Program Operating Manual (NISPOM), a document governing the security requirements for defense contractors handling classified information. The “data sanitization” procedure commonly associated with the name DoD 5220.22-M refers to a three-pass overwrite method that appeared in earlier versions of the NISPOM and became widely cited as the standard for hard drive wiping.
Full name: National Industrial Security Program Operating Manual (NISPOM)
Published by: Defense Counterintelligence and Security Agency (DCSA), U.S. Department of Defense
Current edition: 32 CFR Part 117 (codified January 2021, supersedes the previous edition)
Status of the 3-pass overwrite method: Removed from the NISPOM and not required by current federal standards. NIST SP 800-88 r2 is the current standard.
Official resource: dcsa.mil/nispom
The “DoD 5220.22-M wipe” acquired its reputation in the 1990s when magnetic hard drives were the dominant storage medium and multi-pass overwrite was considered the state of the art. The method specified three passes: a write of all zeros (0x00), a write of all ones (0xFF), and a write of random data, followed by a verification pass.
The Three-Pass Overwrite: What It Was
The DoD 5220.22-M overwrite methodology that appeared in older editions of the NISPOM specified a sequential multi-pass write process.
Standard three-pass method (DoD 5220.22-M):
- Pass 1: Write all zeros (0x00) to every sector
- Pass 2: Write all ones (0xFF) to every sector
- Pass 3: Write random data to every sector, then verify
Extended seven-pass method (DoD 5220.22-M-ECE): Some vendors referenced a seven-pass variant attributed to an “ECE” (Erase, Complement, Erase) interpretation. This seven-pass method also does not appear in current DoD or NIST requirements. Both the three-pass and the seven-pass method are legacy references.
Why DoD 5220.22-M Was Replaced
The DoD 5220.22-M three-pass overwrite was designed for magnetic hard disk drives in an era when laboratory magnetic force microscopy (MFM) could potentially recover data from overwritten sectors. Research and technology changes in the late 2000s led the DoD and NIST to revise their approach.
Reason 1: Research Showed One Pass Is Sufficient for Modern HDDs
Studies, including NIST-sponsored research leading to the original SP 800-88 (2006), concluded that a single pass of overwrite data is sufficient to render data unrecoverable from modern magnetic hard drives with current drive geometries. The multi-pass approach provided no measurable additional security benefit for drives manufactured after approximately 1992.
Reason 2: Multi-Pass Overwrite Does Not Work on SSDs and Flash Storage
The three-pass overwrite model was designed for sequential magnetic media. SSDs, NVMe drives, eMMC, and UFS flash storage use wear-leveling algorithms that actively redirect writes to different physical cells. A software-level overwrite command does not guarantee that all cells containing data are overwritten. Multi-pass overwrite on an SSD may leave significant data in cells the wear-leveling algorithm skipped. NIST SP 800-88 r2 addresses this by requiring either Cryptographic Erase (Section 3.1.2 + Section 3.2) or physical Destroy (Section 3.1.3) for SSDs. DoD 5220.22-M provides no guidance on SSDs.
Reason 3: The NISPOM Was Codified as 32 CFR Part 117 in 2021
When DoD codified the NISPOM as 32 CFR Part 117 in January 2021, the media sanitization procedures were aligned with current NIST standards. The three-pass overwrite method from earlier NISPOM editions was not carried forward into 32 CFR Part 117. Current NISPOM (32 CFR Part 117) requires compliance with NIST SP 800-88 r2 methods for media sanitization.
What Replaced DoD 5220.22-M
NIST SP 800-88 r2 (Guidelines for Media Sanitization, September 2025) is the current federal standard for media sanitization and the replacement for the DoD 5220.22-M approach.
| Old approach (DoD 5220.22-M) | Current standard (NIST SP 800-88 r2) |
|---|---|
| Three-pass overwrite for all media | Method selected by media type and security category |
| No SSD guidance | Specific Section 3.2 guidance for Cryptographic Erase on SSDs |
| Overwrite-focused | Three categories: Clear, Purge, Destroy — each with specific methods |
| No CE conditions | Cryptographic Erase conditions defined in Section 3.2 (algorithm, key destruction, validation) |
| No program structure | Formal Media Sanitization Program required (Section 4) |
For organizations still referencing DoD 5220.22-M: Any organization whose contracts, policies, or security plans reference DoD 5220.22-M as their sanitization standard should update those documents to reference NIST SP 800-88 r2. Auditors and assessors from DoD, CMMC, FISMA, and DCSA evaluations recognize NIST SP 800-88 r2 as the valid reference; DoD 5220.22-M references in current documentation may generate audit findings.
How Data Destruction Inc. Handles Defense Contractor Media
Data Destruction Inc. provides defense contractor data destruction services aligned with NIST SP 800-88 r2 rather than the deprecated DoD 5220.22-M methodology. All Certificates of Destruction reference NIST SP 800-88 r2 category and section.
| Service | NIST r2 Category | Documentation for NISPOM/CMMC |
|---|---|---|
| Hard drive shredding | Destroy (§3.1.3) | Certificate of Destruction with r2 section + serialized inventory |
| Hard drive crushing | Destroy (§3.1.3) | Certificate of Destruction with r2 section + serialized inventory |
| Data wiping | Clear/Purge (§3.1.1/§3.1.2) | Certificate of Destruction + wipe report with method detail |
| Witnessed destruction | All categories | CoD + signed witness page + chain-of-custody log |
For classified media: Media classified at confidential, secret, or top secret levels requires NSA-approved sanitization or destruction methods specified in NSA/CSS Policy Manual 9-12. Physical destruction (shredding to NSA-specified particle sizes) is the standard method. Data Destruction Inc. can discuss classified media requirements on a contract-specific basis.
Who Still References DoD 5220.22-M?
Despite being deprecated, DoD 5220.22-M three-pass wipe references persist in several contexts.
Commercial data destruction software: Many commercial hard drive wiping tools still list “DoD 5220.22-M” as a wipe standard option, alongside NIST 800-88 and others. This is a legacy marketing label. The underlying multi-pass overwrite method provides no security advantage over a single-pass overwrite for modern drives.
Organizational IT security policies: Many organizations have security policies written in the 2000s or early 2010s that reference DoD 5220.22-M as their wipe standard. These policies should be updated to reference NIST SP 800-88 r2.
Vendor proposals and marketing: Some destruction vendors still cite DoD 5220.22-M compliance in their marketing materials. Auditors for CMMC, FISMA, and HIPAA recognize NIST SP 800-88 r2 as the current standard.
When a contract references DoD 5220.22-M explicitly: If a specific DoD contract or statement of work explicitly requires DoD 5220.22-M procedures, those procedures govern for that contract. Contract requirements supersede general guidance. However, new DoD contracts reference NIST SP 800-88 r2.
DoD 5220.22-M vs. NIST SP 800-88 r2: Method Comparison
Organizations whose policies or contracts still reference DoD 5220.22-M need to understand what the deprecated method was, what it covered, and why NIST SP 800-88 r2 is the replacement for every media type. This matrix compares the two approaches side by side.
| Media Type | DoD 5220.22-M Method (Deprecated) | NIST SP 800-88 r2 Method (Current) | DDI Method |
|---|---|---|---|
| Hard drive (HDD) | 3-pass overwrite (0x00, 0xFF, random) | Clear: overwrite; Purge: degauss; Destroy: shred/crush | Shredding or crushing (Destroy) |
| Solid-state drive (SSD) | Not addressed — no SSD guidance | Purge: Crypto Erase per §3.2; Destroy: shred | Shredding (Destroy) — CE requires §3.2 verification |
| NVMe drive | Not addressed — no NVMe guidance | Purge: Crypto Erase per §3.2; Destroy: shred | Shredding (Destroy) |
| Magnetic tape | 3-pass overwrite (limited applicability to tape) | Purge: degauss; Destroy: shred/disintegrate | Tape shredding (Destroy) |
| USB / flash drives | Not addressed — no flash guidance | Purge: Crypto Erase per §3.2; Destroy: shred | Shredding (Destroy) |
| Classified media | NISPOM methods (now 32 CFR Part 117) | NIST 800-88 r2 + NSA/CSS PM 9-12 for classified | Contract-specific — consult DDI for classified requirements |
Standards That Replace or Reference DoD 5220.22-M
If your organization’s policies, contracts, or security plans still reference DoD 5220.22-M, these are the current standards that replace it. CMMC, FISMA, and DCSA auditors all recognize NIST SP 800-88 r2 as the valid reference; legacy DoD 5220.22-M citations in current documentation may generate audit findings.
NIST SP 800-88 r2
The direct technical replacement for DoD 5220.22-M — current federal media sanitization standard
CMMC 2.0
MP.L2-3.8.3 requires NIST 800-88 r2 — DoD 5220.22-M references are ambiguous in CMMC assessments
FISMA
NIST SP 800-53 MP-6 implemented via NIST 800-88 r2 — same requirement, updated methodology
HIPAA Disposal Rule
Defense healthcare contractors face both DoD/CMMC and HIPAA disposal standards simultaneously
ISO 27001 / 27040
ISO 27040:2024 aligns with NIST 800-88 r2 — both replaced DoD 5220.22-M as global benchmarks
Authoritative Source and Official Documents
32 CFR Part 117 — National Industrial Security Program Operating Manual (January 2021)
NIST SP 800-88 r2 (September 2025) — the replacement for DoD 5220.22-M overwrite method
Update all security policies and system security plans that reference DoD 5220.22-M to cite NIST SP 800-88 r2 instead. Retain 32 CFR Part 117 reference for overall NISPOM compliance.
Frequently Asked Questions
Is DoD 5220.22-M still required by the DoD?
No. The three-pass overwrite methodology associated with DoD 5220.22-M is not required by current DoD policy. The NISPOM was codified as 32 CFR Part 117 in January 2021, and the current edition does not require three-pass overwrite. DoD contracts and CMMC requirements reference NIST SP 800-88 r2 as the operative sanitization standard. If a specific existing contract references DoD 5220.22-M, that contract requirement governs, but new contracts use NIST SP 800-88 r2.
Does a DoD 5220.22-M wipe satisfy CMMC 2.0 media sanitization requirements?
CMMC 2.0 Practice MP.L2-3.8.3 references NIST SP 800-88 r2 as the applicable sanitization standard. A three-pass DoD 5220.22-M overwrite applied to a magnetic hard drive likely qualifies as NIST Clear or Purge level, depending on the drive and verification process. However, citing “DoD 5220.22-M” rather than “NIST SP 800-88 r2” in CMMC assessment documentation creates ambiguity that may generate a finding. Use NIST SP 800-88 r2 references for all CMMC documentation.
Can I use DoD 5220.22-M to wipe an SSD?
No. Multi-pass overwrite does not reliably sanitize SSDs because wear-leveling algorithms prevent the software from overwriting all physical cells. The DoD 5220.22-M three-pass overwrite method was designed for magnetic hard drives and has no effective application to solid-state storage. For SSD sanitization, the current standard is NIST SP 800-88 r2 Purge via Cryptographic Erase (Section 3.1.2 + Section 3.2) or Destroy via physical shredding (Section 3.1.3).
What is the current NISPOM, and where does it address media sanitization?
The current NISPOM is 32 CFR Part 117, effective January 2021. It governs the National Industrial Security Program and applies to defense contractors handling classified information. Media sanitization under 32 CFR Part 117 is addressed in the media protection section, which references NIST SP 800-88 r2. For classified media, NSA/CSS Policy Manual 9-12 provides additional requirements beyond NIST 800-88 r2.
What is the difference between DoD 5220.22-M and NIST SP 800-88 r2?
DoD 5220.22-M’s three-pass overwrite was a single-method approach applied uniformly to magnetic hard drives. NIST SP 800-88 r2 provides a framework of three categories (Clear, Purge, Destroy) with methods matched to media type, data sensitivity, and end-use disposition. NIST SP 800-88 r2 explicitly addresses SSDs, NVMe, flash storage, and self-encrypting drives. DoD 5220.22-M does not. NIST SP 800-88 r2 is current and recognized by every federal and industry compliance framework. DoD 5220.22-M is a historical reference.