What Is NIST SP 800-88 r2?
NIST Special Publication 800-88 Revision 2 is the federal guideline for media sanitization, published by the National Institute of Standards and Technology in September 2025. It defines three sanitization categories: Clear, Purge, and Destroy. Federal agencies must follow it under FISMA. Private-sector organizations use it as the industry benchmark cited by HIPAA, PCI DSS v4.0.1, GLBA, and FACTA enforcement guidance.
Publisher: National Institute of Standards and Technology (NIST), U.S. Department of Commerce
Current version: Revision 2, September 2025 — supersedes Revision 1 (December 2014)
Official URL: doi.org/10.6028/NIST.SP.800-88r2
Legal force: Mandatory for federal agencies under FISMA; de facto standard for private-sector compliance audits
Revision 2 updates the 2014 standard to address storage technologies that have become dominant since then: NVMe SSDs, eMMC and UFS flash storage, and self-encrypting drives. It aligns with IEEE 2883-2022, strengthens Cryptographic Erase guidance, and restructures the standard around a formal Media Sanitization Program concept (Section 4). The three core categories remain unchanged. The methods within them are significantly updated.
What Does NIST SP 800-88 r2 Require?
NIST SP 800-88 r2 requires organizations to categorize media by data sensitivity, select a sanitization category matching that sensitivity, execute the method, verify the result, document every step, and retain records. The standard mandates a formal, ongoing Media Sanitization Program rather than ad-hoc disposal decisions.
Category 1: Clear (Section 3.1.1)
Definition: Sanitization techniques that apply logical techniques to sanitize data in all user-addressable storage locations, protecting against simple non-invasive data recovery.
What it means in practice: Logical overwrite using software. Data is not accessible through normal operating system interfaces or standard file-recovery tools. A sophisticated attacker with laboratory equipment retains some probability of recovery.
When to apply it: Media scheduled for reuse within the same security boundary. Lower-sensitivity data. Drives under active manufacturer warranty that must be returned.
Methods: Software overwrite (single-pass or multi-pass); ATA Secure Erase on HDDs with compatible firmware; factory reset on consumer SSDs where the vendor documents its sanitization behavior.
Category 2: Purge (Section 3.1.2)
Definition: Sanitization techniques that render target data recovery infeasible using state-of-the-art laboratory techniques.
What it means in practice: The drive’s data is unrecoverable even under laboratory analysis. Media may remain functional depending on the method.
When to apply it: Any media leaving the organization’s control. Media containing moderate- or high-sensitivity data. Media transferred to third parties, recyclers, or disposal vendors.
Methods: Cryptographic Erase (CE) on self-encrypting drives meeting conditions in Section 3.2 (validated AES-256 encryption plus verifiable key destruction per Section 3.2.3); block erase on flash-based media meeting Section 3.2 conditions; NSA-approved overwrite algorithms for legacy magnetic media.
Cryptographic Erase conditions (Section 3.2): The encryption algorithm must meet NIST-approved cryptographic standards. The encryption key must be destroyed so it is unrecoverable (Section 3.2.3). The implementation must be validated per ISO/IEC 19790 (Section 3.2.4). CE operations must be traceable (Section 3.2.5).
Category 3: Destroy (Section 3.1.3)
Definition: Sanitization techniques that make target data recovery infeasible and render the media permanently non-functional.
What it means in practice: Physical elimination of the media. No data recovery is possible by any method. The media cannot be reused.
When to apply it: Highest-sensitivity data (PHI, CUI, cardholder data, classified information). End-of-life media with no reuse requirement. Any situation where Purge cannot be verified.
Methods: Physical shredding; disintegration; incineration; crushing; degaussing for magnetic media only.
SSD and flash critical note: Degaussing does not sanitize SSDs, NVMe drives, eMMC, or UFS flash storage. These media store data using electrical charge in NAND cells, not magnetic orientation. Degaussing has no effect on the stored data. Any SSD or flash device requires Purge via Cryptographic Erase (Section 3.1.2 + 3.2) or Destroy via physical shredding (Section 3.1.3).
How Data Destruction Inc. Satisfies NIST SP 800-88 r2
Data Destruction Inc. maps every service to a specific NIST SP 800-88 r2 category and section. Every Certificate of Destruction issued names the category, the section reference, and the destruction method used.
| Service | NIST r2 Category | Section | Media Types |
|---|---|---|---|
| Hard drive shredding | Destroy | 3.1.3 | HDD, SSD, NVMe, hybrid, optical, tape |
| Hard drive crushing | Destroy | 3.1.3 | HDD, SSD, NVMe, hybrid drives |
| Degaussing (magnetic only) | Purge | 3.1.2 | Magnetic HDD, magnetic tape only |
| Data wiping (software) | Clear or Purge | 3.1.1 / 3.1.2 | HDD, SSD (CE where applicable) |
| Witnessed destruction | All categories | Chain of custody layer | All media types |
NIST does not certify vendors. NIST SP 800-88 r2 is a guideline, not a certification scheme. No company can be “NIST certified.” What matters for audit purposes is whether the destruction method matches the appropriate category and whether the Certificate of Destruction documents that method by section reference.
Who Must Follow NIST SP 800-88 r2?
Federal agencies are required to follow NIST SP 800-88 r2 under FISMA (44 U.S.C. §3551 et seq.). Every federal agency operating an information system must implement a media sanitization program aligned with this standard. Federal contractors handling federal information systems are subject to the same requirement through their agency contracts.
Private-sector organizations are not directly required by law to follow NIST SP 800-88 r2. In practice, compliance auditors across six major regulatory frameworks treat it as the default benchmark:
Healthcare: HIPAA Data Disposal requires “reasonable and appropriate” disposal under 45 CFR §164.310(d)(2). HHS OCR enforcement guidance cites NIST SP 800-88 Destroy-level destruction as satisfying this requirement.
Financial services: GLBA Safeguards Rule (16 CFR Part 314) requires proper disposal of customer financial information. The FTC interprets NIST-conformant destruction as satisfying “proper disposal.”
Retail and payments: PCI DSS v4.0.1 Requirement 9.4.6 requires destruction meeting “accepted industry standards.” NIST SP 800-88 r2 is the accepted standard.
Consumer data: FACTA Disposal Rule (16 CFR Part 682) requires “reasonable measures.” NIST Destroy-level shredding satisfies this standard.
Defense contractors: CMMC 2.0 explicitly requires media sanitization per NIST SP 800-88 r2 for all Controlled Unclassified Information (CUI) media.
Enforcement and Consequences
NIST SP 800-88 r2 is a guideline, not a law with direct penalties. However, failing to follow it triggers enforcement actions under the regulations that reference it.
HIPAA/HITECH (HHS OCR): OCR fines for improper PHI disposal range from $100 to $50,000 per violation, per tier. The largest HIPAA settlement to date involving disposal failures was $5.55M (Advocate Health Care, 2016). OCR enforcement guidance names NIST SP 800-88 as the destruction benchmark.
PCI DSS (card brands): Non-conformant media disposal is a documented audit failure under Requirement 9.4.6. Fines from Visa, Mastercard, and Amex range from $5,000 to $100,000 per month, plus liability for breach costs and potential loss of card processing privileges.
CMMC (DoD): A defense contractor that fails a CMMC Level 2 or Level 3 media sanitization assessment cannot qualify for DoD contracts containing CUI. Contract loss is the direct consequence for non-conformant disposal.
Federal agencies (FISMA): An Inspector General finding that a federal agency failed to follow NIST SP 800-88 r2 results in a Material Weakness under FISMA, reported to Congress in the annual FISMA report.
Method Selection: Which Destruction Level Applies?
Use this quick-reference matrix to match your media type to the correct NIST SP 800-88 r2 sanitization category. Apply the level that matches the data sensitivity: Clear for reuse within the same security boundary, Purge for media leaving the organization, Destroy for highest-sensitivity or end-of-life disposal.
| Media Type | Clear (§3.1.1) | Purge (§3.1.2) | Destroy (§3.1.3) |
|---|---|---|---|
| Hard drive (HDD) | Overwrite — single or multi-pass | ATA Secure Erase; degauss | Shred / crush / disintegrate |
| Solid-state drive (SSD) | ATA Secure Erase (limited; wear-leveling caveat) | Cryptographic Erase per §3.2 conditions | Shred (required if CE cannot be verified) |
| NVMe drive | Not recommended — wear-leveling | Cryptographic Erase per §3.2 conditions | Shred |
| Magnetic tape (LTO) | Overwrite | Degauss | Shred / disintegrate |
| Optical media (CD / DVD) | Not applicable | Not applicable | Shred / disintegrate |
| USB / flash drives | Not recommended — wear-leveling | Cryptographic Erase per §3.2 conditions | Shred |
| Mobile devices | Factory reset (where vendor documents sanitization) | Cryptographic Erase per §3.2 conditions | Shred |
Regulations and Standards That Reference NIST SP 800-88 r2
NIST SP 800-88 r2 is the backbone standard cited by every major US compliance framework. If your organization falls under any of the following regulations, NIST SP 800-88 r2 is the technical benchmark your auditors expect.
HIPAA Disposal Rule
45 CFR §164.310(d)(2) — HHS OCR guidance cites NIST Destroy-level
PCI DSS v4.0.1
Req. 9.4.7 — “accepted industry standards” = NIST SP 800-88 r2
GLBA Safeguards Rule
16 CFR Part 314 — FTC interprets NIST-conformant disposal as compliant
FACTA Disposal Rule
16 CFR Part 682 — NIST Destroy-level satisfies “reasonable measures”
CMMC 2.0
MP.L2-3.8.3 explicitly requires NIST SP 800-88 r2 for CUI media
FISMA
44 U.S.C. §3551 — NIST SP 800-53 MP-6 implemented via NIST 800-88 r2
ISO 27001 / 27040
Annex A.7.14 — ISO 27040:2024 explicitly aligns with NIST 800-88 r2
DoD NISPOM (32 CFR Part 117)
Current NISPOM requires NIST 800-88 r2; DoD 5220.22-M is deprecated
Authoritative Source and Official Document
Authoritative Source · csrc.nist.gov
NIST SP 800-88 r2 · Guidelines for Media Sanitization (September 2025)
Publisher · NIST, U.S. Department of Commerce
Current Version: Revision 2, September 2025
Supersedes Revision 1, December 2014. Check csrc.nist.gov for any further updates before audit submissions.
Frequently Asked Questions
What changed between NIST SP 800-88 r1 and r2?
NIST SP 800-88 r2, published September 2025, supersedes r1 from December 2014. Revision 2 adds specific guidance for NVMe SSDs, eMMC, UFS flash storage, and self-encrypting drives that were not adequately covered in r1. It strengthens Cryptographic Erase conditions (Section 3.2), aligns with IEEE 2883-2022, incorporates ISO/IEC 19790 zeroization requirements, and restructures the standard around a formal Media Sanitization Program (Section 4). The three core categories, Clear, Purge, and Destroy, remain the framework. The methods within each category are updated.
Does NIST SP 800-88 r2 apply to private-sector businesses?
NIST SP 800-88 r2 is mandatory for federal agencies under FISMA. For private-sector organizations, it is not a direct legal requirement. However, HIPAA, PCI DSS v4.0.1, GLBA, FACTA, and CMMC 2.0 all reference it as the benchmark for adequate disposal. If your organization handles patient records, cardholder data, financial information, or federal contracts, auditors expect NIST-conformant destruction documentation.
Can degaussing satisfy NIST SP 800-88 r2 for SSD destruction?
No. Degaussing is listed under Destroy (Section 3.1.3) for magnetic media only. SSDs, NVMe drives, eMMC, and UFS flash storage use electrical charge in NAND cells to store data, not magnetic orientation. Degaussing has no effect on the data stored in these devices. SSDs require Purge via Cryptographic Erase (Section 3.1.2 with conditions in Section 3.2) or Destroy via physical shredding (Section 3.1.3).
What does the Certificate of Destruction from Data Destruction Inc. include?
The Certificate of Destruction includes: the date and location of destruction; the NIST SP 800-88 r2 sanitization category and section; a serialized asset inventory with one line per destroyed device; the destruction method; the technician’s name and signature; and a witness signature where witnessed destruction was requested. These certificates are accepted by HIPAA, CMMC, FISMA, PCI DSS, and SOX auditors.
Is NIST SP 800-88 r2 a certification that vendors can earn?
No. NIST SP 800-88 r2 is a guideline. NIST does not operate a certification program under this standard. No vendor can be “NIST 800-88 certified.” What matters for audit purposes is whether the Certificate of Destruction documents the correct NIST category and section reference for the media type and data sensitivity level involved.
What NIST category applies to end-of-life media leaving the organization?
For media leaving the organization permanently, NIST SP 800-88 r2 recommends Purge or Destroy based on data sensitivity. For high-sensitivity data, including PHI, CUI, cardholder data, and classified information, Destroy via physical shredding (Section 3.1.3) is the standard choice. Shredding eliminates the media entirely, leaving no pathway for data recovery regardless of media type, storage technology, or encryption status.