Home » Resources » NIST 800-88 Rev.2: What the Updated Media Sanitization Standard Means for Your Organization 

NIST 800-88 Rev.2: What the Updated Media Sanitization Standard Means for Your Organization

NIST Special Publication 800-88 has long been a benchmark standard for media sanitization. Originally published in 2006, it has shaped how organizations approach the secure disposal and reuse of data-bearing assets. In September 2025, the first update since 2014 was published: NIST 800-88 Rev.2. 

For organizations aligning with NIST 800-88, this article will help you consider what the 2025 changes mean for your sanitization policy. 

Stephen Connolly As a content writer for Blancco, Stephen uses his 10+ years of experience researching and writing about technology to explain how data sanitization is the secure, compliant, efficient, and sustainable choice for end-of-life data management.

What is NIST 800-88? 

NIST 800-88 (Guidelines for Media Sanitization) is a U.S. government document containing guidance on how organizations should handle data-bearing media when it reaches the end of a period of use (e.g., when an employee laptop is decommissioned). While the guidance also covers hard copy media, such as paper printouts, this article focuses on information storage media (ISM), such as HDDs, SSDs, and other IT assets. 

Why does the standard matter? 

Because the risks it addresses are real. As the 2025 update (Rev.2) states, attackers who fail to gain access to your organization’s data because of access controls and encryption “may focus their efforts on alternative access means, such as retrieving residual data on ISM that has left an organization without being sufficiently sanitized.” 

And there are many examples of security breaches that have happened because of incomplete data sanitization. Lost, stolen, or insufficiently wiped drives and devices have ended up at auctions, swap meets, and in dumpsters—resulting in preventable data loss and significant compliance fines. Ultimately, preventing bad actors from getting in through the front door should not be at the expense of watching what’s leaving via the back door just as closely. 

NIST 800-88 provides guidance so organizations can avoid these preventable lapses.

The Blancco 2026 State of Data Sanitization Report found that over 30% of enterprises experienced a data leak in the previous year, and that a third of those leaks resulted from the redeployment of drives or devices still containing data.

Clear, purge & destroy: The three sanitization methods 

NIST 800-88 defines three sanitization methods, each appropriate to different levels of data sensitivity and different intended outcomes for the media itself. 

Clear

Clear applies logical techniques—including overwriting—to sanitize data in all user-addressable storage locations. It protects against simple, non-invasive recovery attempts using the same interface available to a standard user. 

Clear is appropriate for lower-sensitivity data and leaves media in a usable state for redeployment within the same organization. NIST 800-88 Rev.2 explicitly clarifies that for some ISM, multiple overwrite passes are not necessary for clear, and that purge or destroy should be used if additional assurance is required. This change counters legacy overwriting practices based on the DoD 5220.22-M standard, which specified a set number of passes and patterns.

Purge

Purge applies physical or logical sanitization techniques that make data recovery infeasible even against state-of-the-art laboratory methods, while still preserving the media for potential reuse. 

Rev.2 says that “When possible, the purge sanitization method should be used instead of the clear sanitization method.” Purge is advised for assets containing data of low, moderate, or high sensitivity, where the assets will be reused internally. Purge may also be applicable to assets containing low and moderate-sensitivity data on assets leaving your organization. NIST 800-88 advises the use of destroy on high-security assets exiting externally. Purge techniques vary by media type, and organizations should consult the IEEE 2883-2022 standard for specific technique guidance. 

Destroy

Destroy renders media permanently unusable and makes data recovery infeasible by any means. It is appropriate when other methods cannot be applied, when media is damaged or obsolete, or when data sensitivity demands the highest level of assurance. Physical destruction techniques include shredding, pulverizing, incinerating, disintegrating, and melting. However, Rev.2 notes an important limitation. As data density and component hardness increase in modern media, some destructive techniques become less effective. Shredding and pulverizing, in particular, should be avoided for anything above the lowest security categories of data. 

A significant update in NIST 800-88 Rev.2 concerns degaussing. Previously treated as a viable purge or destroy technique for magnetic media, degaussing has been substantially downgraded. Rev.2 states that degaussing “does not currently constitute a destroy sanitization technique”. Organizations still relying on degaussing as a primary method should review their approach against current guidance. 

What’s new in NIST 800-88 Rev.2? 

Governance takes center stage 

The most significant change in Rev.2 is the shift from hands-on sanitization guidance to a greater focus on governance. Where Rev.1 (2014) provided detailed, device-specific sanitization instructions, Rev.2 steps back from that level of prescription. As the document’s own change log indicates, “the document’s focus has shifted from providing guidelines for hands-on sanitization decisions to maintaining confidentiality of sensitive information by establishing an agency or enterprise media sanitization program as part of media disposal or reuse.” 

As part of this, Rev.2 removes the appendices from Rev.1 that specified device-by-device sanitization techniques. Instead, it directs organizations to consult current standards for technique selection, such as IEEE 2883 or NSA/CSS policies, with the observation that “As storage technology evolves, these sanitization techniques need to be updated on a regular basis, so the latest version of standards (e.g., IEEE 2883) should be consulted.” 

Scope expands to include logical storage 

Rev.2 replaces the term “electronic media” with “information storage media,” an expansion that explicitly brings cloud storage and other logical storage environments within scope. The sanitization challenges posed by virtual storage are different from physical assets, making software-based erasure across the full storage environment a critical part of compliance.

Blancco’s erasure solutions cover logical storage environments as well as physical media, addressing the full scope that NIST 800-88 Rev.2 defines. 

Assurance receives additional focus 

Rev.2 introduces a clearer distinction between verification (confirming that a sanitization operation completed successfully) and validation (confirming that the target data was effectively sanitized). Both are expected as part of a compliant program. 

The updated certificate of sanitization in Rev.2 also reaffirms the importance of documenting the sanitization of each ISM. As with the 2014 update, key pieces of information that should be included on a certificate include manufacturer, model, serial number, sanitization method (i.e., clear, purge, destroy), sanitization technique (e.g., overwrite, block erase, or crypto erase), and more. 

One change to the certificate requirements in Rev.2 is a newly included mention of “validation,” which is now assumed to be occurring after sanitization. 

Crypto erase in the spotlight   

Rev.2 also updates and consolidates its guidance on the cryptographic erase (CE) sanitization technique. The changes reflect how important CE has become to modern sanitization, particularly for cloud and virtual storage environments.

The updated guidance includes recommending a move from FIPS 140-2 to FIPS 140-3 for encryption, and an explicit recommendation that key sanitization be performed through zeroization.

Rev.2 also introduces a note of caution for long-lived sensitive data, as future advances in computing, including quantum computing, could make CE an insufficient technique in some scenarios. 

What this means for your organization 

NIST 800-88 Rev.2 is your prompt to check whether your data lifecycle governance is keeping pace with a changing world. 

While the expectation of a documented program has long been a feature of the standard, Rev.2 makes program governance an explicit organizing principle rather than a supporting chapter alongside device-specific instructions. For any organization that has focused on the mechanics of erasure without building the program around it, that reemphasis is worth taking seriously. 

For organizations that use third-party vendors, the update creates a straightforward question: Is your vendor certified to current technical best practices, such as IEEE 2883?

And, if you are evaluating data sanitization providers—whether that’s a data erasure solution or an ITAD vendor— to match NIST 800-88 Rev.2 requirements, there are a few practical criteria worth applying:

• Look for independent product certification from a recognized body such as ADISA.
• Confirm that certification covers the current standard, not just Rev.1.
• Check that the solution supports the full range of media types in your environment, including SSDs, NVMes, and logical storage.
• Confirm that every erasure generates a tamper-proof certificate that meets Rev.2’s documentation requirements.

NIST 800-88 remains one of the leading standards for secure data sanitization. Make sure you’re up to date with the most recent changes, and that your vendors and partners are, too.

You may be interested in

Meeting NCSC & NHS Guidance on Data Sanitization

Sysmex Asia Pacific Achieves Data Protection Compliance in 3 Months with Easy-to-Deploy Erasure Solutions | Blancco Case Study

[Checklist] Decommissioning Checklist for Enterprises: PCs, Laptops & Other IT Assets

[VIDEO] Blancco Drive Eraser Overview