Putting the "NSA Data Overwrite Standard" Legend to Death... Feb 04 2003 04:57PM
Jonathan G. Lampe (jonathan stdnet com)
OK, I'm sure this one will start a flame war, but...I work for a vendor
whose products overwrite files when "deleting" them as a way of protecting
old data. Lately several customers have been asking for "NSA" or "DoD"
standard overwrites, usually with a value of 3, 7 or 9. (Our response to
the feature was to more or less let the owner of the product pick the
number of overwrites; the obvious tradeoff is morewrites=slowerdisk.)

Anyway, while researching how we wanted to document recommended values for
the overwrite feature, I looked into the "DoD" and "NSA" standards.

I was not surprised to see that a "DoD standard" DOES exist:
Government name: DoD 5220.22-M
A nice summary: http://www.zdelete.com/dod.htm (not my product)
Some original documents: http://www.dss.mil/isec/nispom.htm
Long story short: 1 overwrite = CLEAR, 3 overwrites = SANITIZED
(non-removable rigid disk)

I was surprised, however, to learn that a "NSA standard" DOES NOT exist.

I did the usual Google searches and came up with nothing but various sites
and postings claiming the standard was anything from 5 to 20
overwrites. Then I called the NSA (1-800-688-6115
- http://www.nsa.gov/isso). The first person I chatted with passed on the
question, but the second answered the question in no uncertain terms - NSA
is aware of DoD 5220.22-M and DOES NOT have a separate recommendation.

So...could this finally be the end of IT employees casually tossing around
the "NSA overwrite standard" - or is there something I'm missing?

Second, where did the number 7 really come from? (It seems to be the
leading recommendation out there right now for number of overwrites and is
frequently attributed to the NSA.)

- Jonathan Lampe, GCIA, GSNA
- jonathan.lampe (at) stdnet (dot) com [email concealed]

[ reply ]


Privacy Statement
Copyright 2010, SecurityFocus