Putting the "NSA Data Overwrite Standard" Legend to Death...

["Jonathan G. Lampe" <jonathan () stdnet com>]

OK, I'm sure this one will start a flame war, but...I work for a vendor 
whose products overwrite files when "deleting" them as a way of protecting 
old data.  Lately several customers have been asking for "NSA" or "DoD" 
standard overwrites, usually with a value of 3, 7 or 9.  (Our response to 
the feature was to more or less let the owner of the product pick the 
number of overwrites; the obvious tradeoff is morewrites=slowerdisk.)

Anyway, while researching how we wanted to document recommended values for 
the overwrite feature, I looked into the "DoD" and "NSA" standards.

I was not surprised to see that a "DoD standard" DOES exist:
  Government name: DoD 5220.22-M
  A nice summary: http://www.zdelete.com/dod.htm (not my product)
  Some original documents: http://www.dss.mil/isec/nispom.htm
  Long story short: 1 overwrite = CLEAR, 3 overwrites = SANITIZED 
(non-removable rigid disk)

I was surprised, however, to learn that a "NSA standard" DOES NOT exist.

I did the usual Google searches and came up with nothing but various sites 
and postings claiming the standard was anything from 5 to 20 
overwrites.  Then I called the NSA (1-800-688-6115 
-  http://www.nsa.gov/isso).  The first person I chatted with passed on the 
question, but the second answered the question in no uncertain terms - NSA 
is aware of DoD 5220.22-M and DOES NOT have a separate recommendation.

So...could this finally be the end of IT employees casually tossing around 
the "NSA overwrite standard" - or is there something I'm missing?

Second, where did the number 7 really come from?  (It seems to be the 
leading recommendation out there right now for number of overwrites and is 
frequently attributed to the NSA.)

- Jonathan Lampe, GCIA, GSNA
- jonathan.lampe () stdnet com