NIST SP 800-88 Guidelines for Media Sanitization Explained
18 Jan 2021 | Michael WaksmanThe NIST SP 800-88 Guidelines for Media Sanitization provide instructions to organizations on how to effectively sanitize hard drives and other electronic media. Released by the National Institute of Standards and Technology, the guidelines are widely followed by the U.S. government and private companies.
Here we will provide an overview of NIST SP 800-88 and the concept of media sanitization. We will then take a closer look at NIST’s 3 ways of dealing with end-of-life data, and finally explain why verifying your sanitization results is essential to following the guidelines.
NIST SP 800-88 Guidelines in a Nutshell
-
When?
The NIST SP 800-88 Guidelines for Media Sanitization were first published in 2006. The guidelines were then updated in December 2014, and this first revision (Rev 1) remains the most current version of the guidelines. -
What?
The NIST publication is a U.S. government document that provides clear methods of how to delete data from electronic media in a secure and permanent way. By following the guidelines, organizations can feel confident they have taken the necessary steps to minimize the chances of their data being recovered by third parties. -
Who?
The NIST SP 800-88 Guidelines for Media Sanitization were originally meant for government use, but are now commonly implemented by many private companies and organizations. While it’s not compulsory to comply with the guidelines, it’s advisable for companies to adopt them in order to ensure their sensitive data is unrecoverable.
What Is Media Sanitization?
Media sanitization is the process of removing data stored on an electronic media device in a way that ensures it cannot be easily retrieved by third parties. After correctly sanitizing a device, the data that has been removed should be unrecoverable even with the assistance of advanced forensic tools. In addition to removing the files and folders from your electronic media device, the sanitization process will securely remove all Data Remanence.
Clear, Purge, Destroy
The NIST SP 800-88 Guidelines for Media Sanitization recommends that you remove your data in one of 3 ways: Clearing, Purging, or Destroying.
- Clear
Clearing is a sanitization method that involves using software or hardware products to overwrite all user-addressable storage space. The goal of clearing is to replace written data and potentially sensitive information with random data.
Clearing can be applied by using the standard Read and Write commands on your device, and can involve rewriting data with a new value or resetting the device to its factory settings. While your information most likely can’t be retrieved by basic recovery utilities, this sanitization method only provides an intermediate level of protection. - Purge
Purging provides more comprehensive sanitization than clearing, as purging protects information against laboratory attacks that use advanced methods and tools to recover data.
Some methods of purging include overwriting, block erasing, and cryptographic erasure. In order to use this sanitization method, you first have to remove Host Protected Areas (HPAs) or Device Configuration Overlays (DCOs) if they exist on your device. Purging can then be applied through the use of dedicated device sanitization commands. - Destroy
Destroying, like purging, protects data from being recovered by state-of-the-art laboratory techniques. A key difference, however, is that after destroying media the device is no longer able to store data.
There are many physical techniques for destroying media, such as disintegrating, incinerating, melting, and shredding. While destruction can be useful for hardware that cannot possibly be reused, in most cases you should alternatively consider purging your media instead. Not only does purging allow you to reuse or donate your devices, this also means you can reduce the amount of harmful electronic waste you produce. Find out more about the benefits of erasing and repurposing your devices.
And Don’t Forget to Verify
Once you have removed the data from your device with your chosen sanitization method, there’s still one last important step: Verify your results.
Verifying your sanitization results is an essential step to maintain confidentiality and should never be skipped. As the NIST guidelines state, there are 2 types of verification methods:
- Verification for every sanitized piece of electronic media
- Verification of a representative sampling of media after sanitization has been completed
In order to prove you have met the NIST SP 800-88 Guidelines for Media Sanitization, you can complete a certificate of media disposition for each piece of media that has been sanitized and verified. To find out more about the process of verification, please consult the NIST guidelines.
About BCWipe Total WipeOut
BCWipe Total WipeOut is a data wiping solution that securely erases entire drives beyond forensic recovery. If you are looking to follow the NIST guidelines for purging your data, BCWipe Total WipeOut makes it simple with a media sanitization solution that allows you to meet the NIST 800-88 Rev 1 standard in just a click. Verifying your sanitization results and completing the necessary certificates can be easily done with the customizable wiping reports feature of BCWipe Total WipeOut - Enterprise Edition.
To get started with Jetico’s secure data wiping solution, begin your free trial of BCWipe Total WipeOut today.
Related Articles
Data Sanitization 5 Common Myths
Hardware Decommissioning Process: A 5-Step Checklist
The Ultimate Guide to Deleting Files Permanently
IEEE 2883-2022 Standard for Sanitizing Storage
CMMC 2.0 Levels, Controls & Framework for Media Sanitization Requirements
IRS Publication 4812 & How to Comply with Wiping Standards
How to Securely Wipe Your Windows 11 Computer Clean
How to Wipe a Hard Drive on a Dead Computer
How to Wipe an NVMe Drive
How to Delete Files on SSD
How to Obtain a Certificate of Destruction
Michael Waksman has been serving as CEO of Jetico since 2011, more than doubling the size of the company during his tenure. He brings more than 20 years of communications, technology and leadership experience.
At Jetico, Waksman has lead creation of the corporate identity, raising global brand awareness, building a more commercially-driven team and initiating enterprise customer relations. Jetico has maintained a wide user base throughout the U.S. Defense community, in the global compliance market and for personal privacy.
Waksman served as vice-chairman of the Cyber Group for the Association of Finnish Defense and Aerospace Industries. Recognized as a security and privacy advocate, he is a frequent speaker at international events, occasionally on behalf of the Finnish cyber security industry. In 2012, Waksman was honored with The Security Network's Chairman's Award for fostering collaboration between the United States and Finland. As dual citizen, he is a native New Yorker and has been living in the Helsinki region for over 15 years.