Re: Putting the "NSA Data Overwrite Standard" Legend to Death...

[wolt () igd fhg de (Stephen D. B. Wolthusen)]

Hi,

"Jonathan G. Lampe" <jonathan () stdnet com> writes:

> OK, I'm sure this one will start a flame war, but...I work for a vendor
> whose products overwrite files when "deleting" them as a way of
> protecting old data.  Lately several customers have been asking for "NSA"
> or "DoD" standard overwrites, usually with a value of 3, 7 or 9.  (Our
> response to the feature was to more or less let the owner of the product
> pick the number of overwrites; the obvious tradeoff is
> morewrites=slowerdisk.)

This is rather besides the point in modern disk drives anyway. Physical
sectors can get remapped on the fly (which would become only more likely at
the end of media service life) and are no longer guaranteed to map to
physical sectors. As a result, data can be moved out to spare sectors which
may still be perfectly readable afterwards. In addition, remanence can
still be exploited after multiple overwrites in a suitable lab environment
(and while magnetic domains have gotten *a lot* smaller, coercivity has
gone up to match, and sensors have more than kept up with this march down
the scale -- atomic force microscopes can be bought off the shelf).
 
> Anyway, while researching how we wanted to document recommended values for
> the overwrite feature, I looked into the "DoD" and "NSA" standards.
>
> I was not surprised to see that a "DoD standard" DOES exist:
>    Government name: DoD 5220.22-M
>    A nice summary: http://www.zdelete.com/dod.htm (not my product)
>    Some original documents: http://www.dss.mil/isec/nispom.htm
>    Long story short: 1 overwrite = CLEAR, 3 overwrites = SANITIZED
> (non-removable rigid disk)

For secret and below.
 
> I was surprised, however, to learn that a "NSA standard" DOES NOT exist.

Not too surprising, because NSA is the entity that creates such documents
in its assigned role within DoD. These become binding within DoD once they
get promulgated at the appropriate level and are also used elsewhere in US
government, typically by simple reference (e.g. in the case of DoE). 

DSS have relevant information for industrial applications on their web site
at http://www.dss.mil/infoas/. 

> So...could this finally be the end of IT employees casually tossing around
> the "NSA overwrite standard" - or is there something I'm missing?

Individual services can and do, of course, further specify the general
guidance. NAVSO P-5239-26 is one example of a service (Navy) guideline. 

> Second, where did the number 7 really come from?  (It seems to be the
> leading recommendation out there right now for number of overwrites and is
> frequently attributed to the NSA.)

Urban legend. And silly, too. For most magnetic media and especially
commodity PCs, the labor cost and downtime for overwriting isn't worth the
bother. Destruction will usually be more efficient anyway. And if for some
reason there are no facilities or procedures for this at a given site, I
believe the media can even be shipped to NSA for proper processing.

-- 
        later,
        Stephen

Fraunhofer-IGD                 | mailto:
Stephen Wolthusen              | wolt () igd fhg de
Fraunhoferstr. 5               | swolthusen () acm org
64283 Darmstadt                | swolthusen () ieee org
GERMANY                        | 
                               | 
Tel +49 (0) 6151 155 539       | Fax: +49 (0) 6151 155 499