NIST SP 800‑88 Media Sanitization Guidelines:Revision 2 (2026)
NIST SP 800‑88, Guidelines for Media Sanitization, is the United States standard for permanently destroying data on storage media before disposal, resale, or reuse. The National Institute of Standards and Technology published Revision 2 on September 26, 2025, the first update since 2014, and withdrew Revision 1 the same day. The three sanitization methods, Clear, Purge, and Destroy, remain; how organizations select, execute, verify, and document them changed substantially.
This page explains the NIST 800‑88 Revision 2 changes in plain English: the Revision 1 versus Revision 2 differences, the new rules for each sanitization method and media type, and the policy updates auditors will expect. A free 10-page policy guide packages all of it for your team.
Start Here
Which NIST 800‑88 Sanitization Method Does Your Media Need?
Pick the media type you are retiring. Each panel summarizes what NIST SP 800‑88 Revision 2 and IEEE 2883 say for typical commercial scenarios; your data sensitivity and policy make the final call.
Hard drives (HDD)
Hard drives store data as magnetic domains on spinning platters. The right method comes down to one question: does the drive ever leave your control?
A single overwrite pass or the drive’s built-in sanitize command.
Dedicated sanitize command or cryptographic erase (IEEE 2883), when drives leave your control.
Shred to NSA and IEEE 2883 particle specifications.
No longer an approved destroy technique under Revision 2.
Degaussing is out as a destroy method, and physical destruction now has to meet IEEE 2883 and NSA particle sizes, not just “shredded.”
Watch out: many degaussers lack the field strength for modern high-coercivity drives.
Solid-state drives & NVMe
SSDs and NVMe store data as electrical charge inside flash cells, not magnetism. That is why overwriting is unreliable and a degausser does nothing at all.
The device’s dedicated sanitize command.
Block erase or cryptographic erase.
Shred only to a fine particle size; loose specs can fail on dense flash.
Leaves SSD data fully intact.
Multi-pass overwriting is retired. On flash it adds no security, burns write endurance, and misses over-provisioned regions a wipe never reaches.
Watch out: high-density flash is exactly where Revision 2 warns that loose shred specs fail.
Phones & tablets
Modern phones and tablets keep their storage encrypted by default, so a reset is only as trustworthy as the encryption sitting behind it.
A factory reset, only when the interface cannot retrieve the original data.
Built-in encrypted erase: encryption paired with key destruction.
Physically destroy the device for the most sensitive data.
A manufacturer reset counts as Clear only when the interface cannot recover the original data; for sensitive data, rely on the encrypted-erase path.
Watch out: confirm encryption was enabled before trusting a reset as anything more than Clear.
Magnetic tape
Tape is magnetic, so degaussing can still purge it, but only when the degausser’s field strength matches the tape’s coercivity.
Degauss only with a field strength matched to the tape’s coercivity.
Incinerate, shred, or pulverize to specification.
A degaussed tape is not a destroyed tape. Destruction means incineration, shredding, or pulverizing to specification.
Watch out: verify your degausser against the highest-coercivity media you handle, not the oldest.
Cloud & virtual storage
You never touch the physical drive, so cryptographic erase is usually the only path, and it lives or dies on who controls the keys.
Cryptographic erase with customer-controlled, verifiably destroyed keys, often the only option.
You do not control the hardware, so physical destruction is off the table.
Cryptographic erase may be the only viable purge, and it requires customer-controlled keys with verifiable key destruction. No key control can mean no compliant path on the platform.
Watch out: for decades-long confidentiality, do not rely on CE alone: future cryptographic breaks could expose today’s ciphertext.
Paper & other hard copy
Paper has no logical erase. You cannot Clear or Purge it, so physical destruction is the only path.
There is no logical erase for hard copy.
Disintegrate, incinerate, pulverize, or cross-cut shred to a particle size that matches sensitivity.
Destruction is the only path, and cross-cut particle sizes have to match the sensitivity of the material.
Watch out: strip-cut shredding of sensitive documents is a recovery risk, not a destruction method.
Method states summarize NIST SP 800-88r2 and IEEE 2883 guidance for typical commercial scenarios. Data sensitivity and your own policy decide the final call; the policy guide walks through the decision.
The Standard, Explained
What Is NIST SP 800‑88?
NIST Special Publication 800‑88, Guidelines for Media Sanitization, defines how organizations render data unrecoverable before storage media is reused, resold, or recycled. It groups every technique under three methods: Clear, Purge, and Destroy. Federal agencies must follow the NIST 800‑88 standard under FISMA; for everyone else it is the de facto benchmark, because when a customer, auditor, or regulator asks how data was destroyed, “sanitized in accordance with NIST SP 800‑88” is the answer they are looking for.
Revision 2 is the current version of the media sanitization guidelines. NIST published it as final on September 26, 2025 and withdrew Revision 1 the same day, so any policy, contract, or RFP that still cites Revision 1, or buys certified data destruction services against it, now references a withdrawn document. The sections below walk through exactly what changed.
Side by Side
NIST 800‑88 Revision 1 vs. Revision 2: What Changed at a Glance
Revision 2 of NIST SP 800‑88, published September 26, 2025, changes the identity of the federal media sanitization guidelines. Revision 1 (2014) was a hands-on technical manual; its nine per-device sanitization tables in Appendix A were the most-used pages in the document. Revision 2 removes them, defers technique detail to IEEE 2883 and NSA guidance, and defines a Media Sanitization Program instead: policies, scope, decision frameworks, roles, assurance, and documentation.
| Dimension | Revision 1 (Dec 2014) | Revision 2 (Sept 2025) |
|---|---|---|
| Document philosophy | Hands-on technical manual with per-device instructions | Program-level governance framework; technical detail deferred to IEEE 2883 and NSA guidance |
| Core terminology | “Media” / “electronic media” | “Information Storage Media” (ISM), covering cloud, virtual, and emerging media |
| Per-device sanitization tables | Nine detailed tables (Appendix A) | Removed; deferred to IEEE 2883 |
| Multi-pass overwriting | Not required, but legacy DoD language persisted in practice | Explicitly retired; a single pass suffices for Clear |
| Cryptographic Erase (CE) | One section plus an appendix | Substantially expanded: key taxonomy, zeroization, cloud guidance, long-horizon risk caveats |
| Verification model | One “Verify” step with a prescriptive sampling regime | Split into Verification and Validation; sampling regime removed |
| Degaussing | Standard option for magnetic media | Significantly restricted; no longer an approved destroy technique |
| Cryptographic baseline | FIPS 140-2 | FIPS 140-3 |
| Statutory authority | FISMA 2002 | FISMA 2014 |
Last reviewed: June 2026
Sources: NIST SP 800-88r2 (DOI: 10.6028/NIST.SP.800-88r2), NIST SP 800-88r1 (withdrawn), IEEE 2883-2022, NSA/CSS Policy Manual 9-12. Comparison prepared by ITAMG from a side-by-side reading of both revisions.
If You Read Nothing Else
The Seven Changes in NIST 800‑88 Revision 2 That Matter Most
Of everything NIST changed in Special Publication 800‑88 Revision 2, these seven updates are the most likely to touch your data destruction policies, your vendor contracts, and your day-to-day IT operations.
“Information Storage Media” replaces “electronic media”
The new term covers logical and virtual storage, including cloud and object storage, not just devices you can hold. It even leaves the door open for emerging media like DNA storage.
The multi-pass overwrite era is officially over
Revision 2 states that multi-pass overwriting is not needed. A single pass, or a device’s dedicated sanitize command, satisfies Clear. On SSDs, extra passes add no security and burn write endurance.
Cryptographic Erase gets real criteria
CE now carries testable requirements: at least 128 bits of security strength, explicit key-generation entropy, a four-type key taxonomy, and key destruction via zeroization aligned with FIPS 140-3.
Verification splits into two decisions
One “verify” step becomes two: Verification asks whether the technique completed; Validation makes a risk-based call on whether the target data was effectively sanitized. The old statistical sampling regime is retired.
Degaussing gets demoted
It is ineffective on SSDs and flash, many degaussers lack the field strength for modern high-coercivity drives, and it is no longer an approved destroy technique even when it bricks the device.
Shredding alone may not be enough
As data density rises and materials harden, pulverize and shred techniques can fail at the wrong particle size. IEEE 2883 and NSA specifications now define what acceptable looks like.
IEEE 2883 becomes the primary technical reference
With the device tables gone, IEEE 2883 carries the technique detail, NSA/CSS Policy Manual 9-12 anchors destruction, and FIPS 140-3 plus ISO/IEC 27040 and 19790 govern the cryptography. Unlike NIST publications, IEEE 2883 is a paid standard.
Not sure which of these changes touch your policies? A senior team can walk your data destruction policy against Revision 2, line by line.
Request a Policy ReviewThe Three Methods
Clear, Purge, Destroy: What Changed Under Each Sanitization Method
NIST 800‑88 Revision 2 keeps the three-method framework intact. What changed is the guidance under each method, including one instruction now stated outright: when possible, use Purge instead of Clear.
Clear
Protects against simple, software-based recovery. One overwrite pass or a dedicated sanitize command is now explicitly sufficient. Manufacturer resets count for devices that cannot be rewritten. Never appropriate for hard copy.
Purge
Defeats laboratory-grade recovery. Now preferred over Clear when possible. Technique selection (overwrite, block erase, cryptographic erase) defers to IEEE 2883. For cloud and virtual storage, cryptographic erase may be the only viable option.
Destroy
Five techniques are formally defined: disintegrate, incinerate, melt, pulverize, shred. Bending, cutting, drilling, and shooting are demoted to partial damage. Degaussing no longer qualifies, and particle size is cautioned for high-density media.
Why It Reaches You
The Compliance Frameworks That Point to NIST 800‑88
Federal agencies must follow NIST 800‑88 under FISMA. Private organizations inherit it through the regulations, assessors, and client contracts that treat its media sanitization guidance as the benchmark for lawful data disposal.
HIPAA
HHS guidance points covered entities to NIST 800‑88 for rendering PHI unrecoverable before media disposal or reuse.
GLBA Safeguards
The FTC Safeguards Rule requires secure disposal of customer information; 800‑88 sanitization is the accepted route.
PCI DSS
Cardholder data must be rendered unrecoverable when no longer needed; assessors expect 800‑88 aligned methods.
CMMC & State Privacy Laws
Defense contractors and organizations under state privacy statutes inherit 800‑88 through control mappings and client addenda.
Want all of this in a 10-page PDF your team can circulate?
Get the Free GuideDon’t Overlook the Paperwork
Revision 2 Redesigns the Certificate of Sanitization
Sanitization that is not documented might as well not have happened. NIST SP 800‑88 Revision 2 redesigns the Certificate of Sanitization form, and four field-level changes deserve attention from anyone who maintains a CoS template or audits the certificates an ITAD or data destruction vendor sends back.
Method and Technique are now separate fields
For example: Purge via cryptographic erase. The certificate mirrors the standard’s method-and-technique structure.
A new, explicit Validation field
Your certificate should show that the accept-or-reject decision actually happened, separately from technique completion.
A Concurrence block and required signature
A second signatory formally concurs with the result. Unsigned certificates no longer pass the form’s own bar.
Expanded traceability for Cryptographic Erase
On the certificate, CE is recorded under Sanitization Technique plus Notes. Beyond the form, Revision 2 expects a separate assurance record: the algorithms and key strengths, the key types in the chain, escrow or injection history, and how key copies outside the device were addressed.
Compare the certificates you receive from your ITAD or destruction vendor today against the Revision 2 form. Gaps in vendor documentation become your gaps the moment an auditor or regulator asks for them.
Role by Role
What NIST 800‑88 Revision 2 Means for Each Role
The updated media sanitization guidelines speak to the entire organization, not just the server room. From the boardroom to the facilities closet, here is what Revision 2 changes for each seat.
| If you are... | Revision 2 means... |
|---|---|
| CEO / COO / Board | Media sanitization is now an enterprise governance program with named roles and documented accountability. Disposal is a lifecycle decision, not a facilities afterthought. |
| CISO / CIO / Security | Policy references need updating: 800-88r2, FIPS 140-3, FISMA 2014, IEEE 2883. Reflect the Verification and Validation split in your assurance workflow, and put a CE-versus-destroy decision on the record for long-retention data. |
| IT Managers / Directors | Retire multi-pass wipe requirements, re-evaluate any degaussing dependency, and confirm sanitization tools and vendors map to IEEE 2883 techniques. Update SOPs that quoted Revision 1’s device tables. |
| Procurement / Vendor Management | Specify Revision 2 in RFPs and contracts, ask vendors how they satisfy IEEE 2883, and require Revision 2-aligned Certificates of Sanitization. For cloud contracts, ask about customer-controlled keys. |
| Compliance / Legal / Privacy | Frameworks that incorporate 800‑88 by reference now point to a changed target. Map where the old revision is cited and prioritize data with decades-long confidentiality obligations. |
| Office / Facilities Managers | The closet of retired laptops needs a documented chain of custody and a proper certificate. “We wiped them three times” is no longer the right answer. |
Do This Next
NIST 800‑88 Revision 2 Compliance Checklist: 8 Updates to Make
Walk your data destruction policy, SOPs, and vendor contracts through these eight updates from the Revision 2 media sanitization guidelines. Most organizations find at least two or three that apply.
Update citations
Reference 800-88r2 and FIPS 140-3 anywhere your policies, SOPs, or contracts cite the old versions.
Retire legacy wipe requirements
Remove every 3-pass, 7-pass, or 35-pass overwriting mandate. It is officially unnecessary.
Replace device-table references
Re-anchor procedures that quote Appendix A to IEEE 2883 or to your vendor’s documented, standards-aligned process.
Re-evaluate degaussing
Match field strength to drive coercivity, never rely on it for flash, and stop classifying it as destruction.
Review destruction specifications
Confirm particle sizes and techniques align with IEEE 2883 and NSA specifications, neither looser nor needlessly tighter.
Split your sign-off workflow
Build the Verification then Validation distinction into your process and your certificates.
Flag long-retention data
Document a cryptographic-erase-versus-destruction decision for data that must stay confidential for decades.
Audit your vendor’s paperwork
Compare the Certificates of Sanitization you receive today against the Revision 2 form, field by field.
Free Policy Guide
Download the NIST SP 800‑88 Revision 2 Policy Guide
The whole update in a 10-page PDF your team can circulate. Written for IT, security, and business leaders, in plain English, with the side-by-side reading of both revisions already done for you.
10-Page PDF
- Revision 1 vs. Revision 2 comparison table
- The seven changes that matter most, in plain English
- What changed under Clear, Purge, and Destroy
- Certificate of Sanitization updates, field by field
- Role-by-role impact and an 8-point action checklist
Make Your Policies Rev 2-Ready
What changed in NIST SP 800-88 Revision 2, what it means for your policies and vendor contracts, and the eight updates worth making this year. Sent straight to your inbox.
The guide is on its way
Check your inbox in the next few minutes. If you asked for a policy review or project help, a senior team member will follow up within one business day.
Prefer to talk first? Call +1 877.625.4872. One follow-up at most. No spam either way.
FAQ
NIST 800‑88 Frequently Asked Questions
The questions IT, security, and compliance teams ask most often about the media sanitization guidelines and the 2025 update.
What is NIST SP 800‑88?
NIST Special Publication 800‑88, Guidelines for Media Sanitization, is the United States government standard for permanently removing data from storage media before disposal or reuse. It defines three sanitization methods, Clear, Purge, and Destroy, and it is the benchmark auditors, regulators, and client contracts expect data destruction to follow.
What changed in NIST SP 800‑88 Revision 2?
Revision 2, published September 26, 2025, turns the standard from a hands-on technical manual into a program-level governance framework. Device-by-device instructions moved to IEEE 2883, multi-pass overwriting was retired, cryptographic erase gained testable criteria, verification was split into Verification and Validation, and degaussing is no longer an approved destroy technique.
Is NIST SP 800‑88 Revision 1 still valid?
No. NIST withdrew Revision 1 on September 26, 2025, the day Revision 2 published. Policies, contracts, and RFP specifications that cite Revision 1 or its Appendix A device tables now reference a withdrawn document, which is exactly the kind of gap auditors flag.
Does NIST 800‑88 require a 3-pass wipe?
No, and it never did. The 3-pass wipe comes from retired Department of Defense language. Revision 2 states plainly that multi-pass overwriting is not needed: a single pass, or a device’s dedicated sanitize command, satisfies Clear. On SSDs, extra passes add no security and consume drive endurance.
What is the difference between Clear, Purge, and Destroy?
Clear protects against simple, software-based recovery using a single overwrite pass or a sanitize command. Purge defeats laboratory-grade recovery using techniques like block erase or cryptographic erase. Destroy makes the media itself unusable through shredding, disintegration, incineration, melting, or pulverizing. Revision 2 keeps all three and now says to prefer Purge over Clear when possible.
Can you degauss an SSD?
No. Degaussing removes magnetic fields, and SSDs store data as electrical charge in flash cells, so a degausser leaves SSD data fully intact. Revision 2 also restricts degaussing for magnetic drives: it is no longer an approved destroy technique, and many degaussers lack the field strength for modern high-coercivity drives.
Is NIST 800‑88 mandatory for private companies?
Federal agencies must follow it under FISMA. For private organizations it is technically voluntary, but HIPAA guidance, the GLBA Safeguards Rule, PCI DSS, and CMMC all point to it, and auditors and client contracts routinely require sanitization in accordance with NIST SP 800‑88. In practice it functions as the commercial standard.
How do I know if my ITAD vendor follows Revision 2?
Ask three things: how their techniques map to IEEE 2883, whether their Certificates of Sanitization show the new method and technique fields plus a separate validation decision, and whether they hold NAID AAA certification. A vendor aligned to Revision 2 can answer all three without hesitation.
Have a question not covered here? Call ITAMG at +1 877.625.4872 to talk through how Revision 2 affects your organization.
Data Destruction Aligned to NIST SP 800‑88, Documented to Survive an Audit
ITAMG has performed secure IT asset disposition since 1999 and operates under NAID AAA, R2v3, and RIOS certification. Every engagement runs on a documented chain of custody, NIST SP 800‑88 aligned sanitization or physical destruction, and serialized Certificates of Sanitization. Revision 2 codifies the program-level discipline serious ITAD providers have practiced for years, and we welcome it.
Senior, US-based team. Response within one business day.
More From ITAMG
Data Destruction and ITAD Services Aligned to NIST 800‑88
From certified data destruction to full IT asset disposition, every ITAMG service runs to the NIST SP 800‑88 standard with the paperwork to prove it.
Data Destruction
On-site and off-site destruction to NIST 800‑88, with serialized certificates.
Learn moreIT Asset Disposition
Secure, certified ITAD for enterprise hardware retirement, with full chain of custody.
Learn moreData Center Decommissioning
Full-scale decommissioning with secure removal and documented custody.
Learn moreSell Used IT Equipment
Recover value from retired servers, storage, and networking hardware.
Learn moreKeep Reading
Related ITAD Guides
Go deeper on the decisions around the standard: which providers to trust, the credentials that prove it, and what disposition does for your sustainability goals.
Top ITAD Companies in 2026, Ranked by Verified Reviews
The leading ITAD providers ranked by verified Gartner Peer Insights reviews, with the certifications and selection criteria that separate them.
Read Guide 8 min readITAMG Credentials: NAID AAA, R2v3, RIOS, and NIST 800‑88
What each certification proves, how to verify it in the SERI and i-SIGMA registries, and the signed certificates behind a secure ITAD decision.
Verify the Certificates Signed certificates on fileITAD and Sustainability: Turning Retired Hardware into ESG Wins
How certified reuse and recycling, recovered asset value, and circular-economy practices turn disposition into a measurable ESG contribution.
Read Guide 7 min read