Putting the "NSA Data Overwrite Standard" Legend to Death... (fwd)

Thomas Shaddack shaddack at ns.arachne.cz
Tue Feb 4 11:40:20 PST 2003

---------- Forwarded message ----------
Date: Tue, 04 Feb 2003 10:57:09 -0600
Subject: Putting the "NSA Data Overwrite Standard" Legend to Death...
From: Jonathan G. Lampe <jonathan at stdnet.com>
To: bugtraq at securityfocus.net

OK, I'm sure this one will start a flame war, but...I work for a vendor
whose products overwrite files when "deleting" them as a way of protecting
old data.  Lately several customers have been asking for "NSA" or "DoD"
standard overwrites, usually with a value of 3, 7 or 9.  (Our response to
the feature was to more or less let the owner of the product pick the
number of overwrites; the obvious tradeoff is morewrites=slowerdisk.)

Anyway, while researching how we wanted to document recommended values for
the overwrite feature, I looked into the "DoD" and "NSA" standards.

I was not surprised to see that a "DoD standard" DOES exist:
   Government name: DoD 5220.22-M
   A nice summary: http://www.zdelete.com/dod.htm (not my product)
   Some original documents: http://www.dss.mil/isec/nispom.htm
   Long story short: 1 overwrite = CLEAR, 3 overwrites = SANITIZED
(non-removable rigid disk)

I was surprised, however, to learn that a "NSA standard" DOES NOT exist.

I did the usual Google searches and came up with nothing but various sites
and postings claiming the standard was anything from 5 to 20
overwrites.  Then I called the NSA (1-800-688-6115
-  http://www.nsa.gov/isso).  The first person I chatted with passed on the
question, but the second answered the question in no uncertain terms - NSA
is aware of DoD 5220.22-M and DOES NOT have a separate recommendation.

So...could this finally be the end of IT employees casually tossing around
the "NSA overwrite standard" - or is there something I'm missing?

Second, where did the number 7 really come from?  (It seems to be the
leading recommendation out there right now for number of overwrites and is
frequently attributed to the NSA.)

- Jonathan Lampe, GCIA, GSNA
- jonathan.lampe at stdnet.com

More information about the cypherpunks-legacy mailing list