NIST SP 800-88 Rev. 2: Guidelines for Media Sanitization

What Is NIST SP 800-88 Rev. 2?

NIST Special Publication 800-88 Revision 2 is the federal guideline for media sanitization, published by the National Institute of Standards and Technology in September 2025. It defines three sanitization categories: Clear, Purge, and Destroy. Federal agencies follow it under FISMA. Private-sector organizations use it as the benchmark cited across HIPAA, PCI DSS, GLBA, and FACTA enforcement guidance.

Publisher: National Institute of Standards and Technology (NIST), U.S. Department of Commerce
Current version: Revision 2, September 2025, superseding Revision 1 (December 2014)
Official URL: doi.org/10.6028/NIST.SP.800-88r2
Legal force: Mandatory for federal agencies under FISMA; de facto benchmark for private-sector compliance audits

Revision 2 updates the 2014 standard to address storage technologies that became dominant after r1: NVMe solid-state drives, eMMC and UFS flash storage, and self-encrypting drives. It aligns with IEEE 2883-2022, strengthens Cryptographic Erase guidance, and restructures the standard around a formal Media Sanitization Program. The three core categories remain. The methods inside them are updated for flash media.

What Does NIST SP 800-88 Rev. 2 Require?

NIST SP 800-88 Rev. 2 requires organizations to categorize media by data sensitivity, select a sanitization category that matches that sensitivity, execute the method, verify the result, document every step, and retain the records. The standard mandates a formal, ongoing Media Sanitization Program rather than ad-hoc disposal decisions.

Category 1: Clear

Definition: Logical techniques that sanitize data in all user-addressable storage locations, protecting against simple non-invasive recovery.

In practice: Software overwrite. Data is not retrievable through the operating system or standard file-recovery tools. A laboratory attacker retains some recovery probability.

When to apply it: Media reused inside the same security boundary; lower-sensitivity data; warranty returns.

Methods: Software overwrite (single or multi-pass); ATA Secure Erase on compatible HDDs; documented factory reset on consumer devices.

Category 2: Purge

Definition: Techniques that render data recovery infeasible using state-of-the-art laboratory methods.

In practice: Data is unrecoverable even under laboratory analysis. The media may stay functional.

When to apply it: Any media leaving the organization’s control; moderate- or high-sensitivity data; media transferred to recyclers or disposal vendors.

Methods: Cryptographic Erase on self-encrypting drives that meet the standard’s conditions (validated encryption plus verifiable key destruction); block erase on flash media; degauss for magnetic media only.

Category 3: Destroy

Definition: Techniques that make data recovery infeasible and render the media permanently non-functional.

In practice: Physical elimination of the media. No recovery is possible by any method. The media cannot be reused.

When to apply it: Highest-sensitivity data (PHI, CUI, cardholder data); end-of-life media with no reuse requirement; any case where Purge cannot be verified.

Methods: Shredding; disintegration; crushing; incineration; degaussing for magnetic media only.

SSD and flash note: Degaussing does not sanitize SSDs, NVMe drives, eMMC, or UFS flash. These store data as electrical charge in NAND cells, not magnetic orientation. Flash devices require Purge via Cryptographic Erase or Destroy via physical shredding.

Verification and documentation

NIST SP 800-88 Rev. 2 treats verification as a required step, not an optional one. After sanitization the organization confirms the action succeeded, either by full verification of every device or by a representative sampling approach for large lots, and records the result. The standard also calls for a documented record that names the media, the category and method applied, the verification outcome, and the personnel involved, so that disposal decisions can be reconstructed during an audit.

The Media Sanitization Program

Revision 2 frames sanitization as an ongoing program rather than a series of one-off events. The program assigns roles, defines how media are categorized by sensitivity, sets the decision logic for choosing Clear, Purge, or Destroy, and governs how records are retained. This program orientation is the structural change that lets an organization show an auditor a repeatable process instead of isolated destruction tickets.

How All Green Recycling Aligns to NIST SP 800-88 Rev. 2

All Green Recycling’s data destruction processes are operationally aligned to NIST SP 800-88 Rev. 2. Each Data Destruction service maps to a specific NIST category, and every Certificate of Destruction names the category and the method used.

NIST does not certify vendors. NIST SP 800-88 Rev. 2 is a guideline, not a certification scheme, so no company is “NIST certified.” What matters for an audit is whether the destruction method matches the correct category and whether the Certificate of Destruction documents that method by category and section. All Green Recycling states its alignment as process-conformance, never as a certification claim.

Who Must Follow NIST SP 800-88 Rev. 2?

Federal agencies must follow NIST SP 800-88 Rev. 2 under FISMA (44 U.S.C. §3551 et seq.). Every federal agency operating an information system must run a media sanitization program aligned with the standard. Federal contractors handling federal information systems inherit the same requirement through their contracts.

Private-sector organizations are not directly required by law to follow it. In practice, compliance auditors across major frameworks treat it as the default benchmark:

Healthcare: HIPAA Disposal Rule requires “reasonable and appropriate” disposal under 45 CFR §164.310(d)(2). HHS OCR guidance cites NIST Destroy-level destruction as satisfying it.

Financial services: GLBA Safeguards Rule (16 CFR Part 314) requires proper disposal of customer financial information.

Retail and payments: PCI DSS Media Disposal Requirement 9.4.6 requires destruction meeting accepted industry standards.

Defense contractors: CMMC Media Sanitization requires media sanitization per NIST SP 800-88 for all Controlled Unclassified Information (CUI) media.

Enforcement and Consequences

NIST SP 800-88 Rev. 2 is a guideline, not a law with direct penalties. Failing to follow it triggers enforcement under the regulations that reference it.

HIPAA/HITECH (HHS OCR): OCR fines for improper PHI disposal range from $141 to $2,134,831 per violation category under the inflation-adjusted 2024 tiers. OCR guidance names NIST SP 800-88 as the destruction benchmark.

PCI DSS (card brands): Non-conformant media disposal is a documented audit failure under Requirement 9.4.6. Card-brand fines range from $5,000 to $100,000 per month, plus breach liability.

CMMC (DoD): A contractor that fails a CMMC Level 2 media sanitization assessment cannot hold DoD contracts containing CUI. Contract loss is the direct consequence.

Federal agencies (FISMA): An Inspector General finding that an agency failed to follow NIST SP 800-88 results in a Material Weakness reported to Congress in the annual FISMA report.

Method Selection: Which Sanitization Category Applies?

Match the media type to the NIST SP 800-88 Rev. 2 category that fits the data sensitivity: Clear for reuse inside the same security boundary, Purge for media leaving the organization, Destroy for highest-sensitivity or end-of-life disposal.

Authoritative Source and Official Document

Frequently Asked Questions