Summary: The NIST SP 800-88 guidelines are a set of directives from the National Institute for Standards and Technology (NIST) that act as a benchmark for enterprises to effectively sanitize storage devices and other electronic media. The article discusses the core concerns of media sanitization, NIST 800-88 best practices, and the scope of media sanitization and also stresses on the need for media sanitization. It outlines the commonly used media sanitization methods and techniques.
The NIST SP 800-88 Guidelines for Media Sanitization, released by National Institute for Standards and Technology (NIST), are a set of instructions for effectively sanitizing storage devices and other electronic media. Widely adhered to by the U.S. government and corporates, these guidelines act as the benchmark for enterprises to drive their ‘media sanitization programs’, with defined techniques and control over sanitization and disposal decisions. NIST 800-88 assists every enterprise looking for assistance with decision-making for the sanitization, disposal, reuse, or migration of media and information.
“The information security concern regarding information disposal & media sanitization resides not in the media but in the recorded information. The issue of media disposal & sanitization is driven by the information placed intentionally or unintentionally on the media. If not handled properly, release of these media could lead to an occurrence of unauthorized disclosure.”
-NIST SP 800-88 Revision 1
The National Institute of Science and Technology (NIST), which provides technical leadership for the United States' measurement and standards infrastructure, defines media sanitization as:
"The general process of removing data from storage media, such that there is reasonable assurance that data may not be easily retrieved and reconstructed."
During the transfer or disposal of storage media, it is imperative that the deleted data from storage media (whether residual magnetic, optical, electrical, or any other form) is not recoverable. Storage media sanitization refers to a process of removing data, with the assurance that the data cannot be retrieved or reconstructed. Media sanitization is crucial to maintain data privacy standards and the smooth exercising of privacy controls. There have to be defined means and mechanisms to prevent sensitive information leakage across the IT asset lifecycle.
What is the Need for Media Sanitization?
As per NIST 800-88 guidelines, media sanitization is a critical element to maintain data confidentiality. Organizations need to exercise proper control of 'confidential information' to avoid data leakage due to improper disposal of storage media or improperly wiped refurbished media. This practice is essential to protect against data leakage of Personally Identifiable Information (PII) basis reference 2.3 of the NIST guidelines. Organizations are required to follow data protection laws, regulations, and mandates governing the management of PII. They may also have obligations to protect PII as per their policies, standards, or management directives. Violation of data protection laws can result in penalties or civil/criminal proceedings for organizations.
What is the Scope of Media Sanitization?
NIST 800-88 guidelines for media sanitization & data protection state that the sanitization operation is to be performed on complete data stored on the media, as it may be difficult for media sanitizers to differentiate the sensitive data, in particular. Also, partial data sanitization is risky and not approved as per NIST 800-88 standard guidelines. For example, among the flash drives - SSDs, memory cards, and USBs, it is recommended to overwrite the data with agency-approved and certified data erasure techniques, methods & software. Alternate data sanitization methods as per NIST guideline table 5-1 include incineration, shredding, disintegrating, degaussing, and pulverizing. NIST 800-88 guidelines state that Solid-state drives (SSDs) cannot be purged by degaussing as these do not store data magnetically. Once the decision is made for media sanitization w.r.t media sanitization method, the type of media, and environmental impact consideration, the question arises as to who should be the decision-maker. Who will determine what, when, and how the data is to be sanitized?
Who is Responsible For Secure Data Disposal?
NIST 800-88 data security standard helps categorize and assign media sanitization roles and responsibilities as per the following:
- The team of professionals – Chief Information Officer, Information System Owner, Information Owner, System Security Manager, Privacy Officer, & Users
- Defining information decision guidelines as in PSUs, Government organizations, and IT Asset Disposition companies (ITADs)
- Determining and categorizing security as per compliances - SOX, HIPAA, PCI-DSS, EU-GDPR, etc.
In the decision process of media sanitization, the confidentiality of the information plays a key role, whereas, the type of media plays a secondary role. Decision-makers decide upon the kind of sanitization on the basis of individual requirements. The decision for the safe disposal of leased or end-of-lifecycle IT assets is made to prevent data breach situations and meet legal compliances. Physical destruction methods are ruled out as they are not environment-friendly. Instead, media sanitization using data erasure software is preferred by decision-makers.
Control & Reuse of Media
NIST 800-88 Guidelines for media sanitization define that the IT asset should be disposed of via a process flow using appropriate roles and responsibilities, and the organization must maintain different levels of security based on the data confidentiality level. Along with the risk-based decision of sanitizing media, the organization should also consider the following –
- Consequences of information retrieval from sanitized media
- Costs involved in sanitization and its efficacy
- Risk factor for the duration for which the data remains sensitive
Media Sanitization Techniques & Methods
Commonly used media sanitization methods are data erasure, degaussing, shredding, factory resets, data deletion, reformatting, and physical destruction.
- Techniques like shredding, factory resets, data deletion, and reformatting are incomplete methods of media sanitization and can leave traces of data behind. Read More
- Degaussing eliminates the magnetic field from the storage devices, thus rendering the data available on these devices unrecoverable.
- Data erasure uses an overwriting technique of overwriting the media with zeroes and ones to destroy the available data on storage media; rendering the media usable for future use.
Media Sanitization Methods as per NIST 800-88 Guidelines
NIST guidelines specify the media sanitization techniques vis-à-vis the type of data storage media, including magnetic storage, flash memory-based media, RAM and ROM-based storage devices, etc. The below table summarizes the recommended “minimum sanitization” needs for different storage media types against the specific techniques (or methods), as follows:
Floppy Disks, Disk Drives
Overwrite using agency-approved software
Degauss in an NSA/CSS-approved degausser.
ATA Hard drives, SCSI Drives
Overwrite using agency-approved software
Secure Erase, Degauss, or Disassemble and degauss the enclosed platters.
Incinerate, Shred, Pulverize Disintegrate
- Remove information using an optical disc grinding device
- Incinerate using a licensed facility
- Use Optical disk media shredder
Flash Media – USBs, Memory Cards, SSDs
Overwrite using agency-approved software
Secure data erasure
Incinerate Shred Pulverize Disintegrate
NIST SP 800-88 Best Practices for Media Sanitization
This section outlines the media sanitization best practices based on NIST SP 800-88 recommendations, as follows:
1. Consider the risks of partial media sanitization [Section 2.8]
Typically, organizations sanitize the complete data stored on a media, i.e., perform full sanitization. However, some situations might require only partial media sanitization. For example, adherence to modern data privacy regulations might require an organization to retain the data of its new customers but is mandated to erase the data of its churned customers. NIST SP 800-88 guideline cautions on the potential risks of partial media sanitization due to its technical challenges and risks such as spillover of sensitive data on the drive’s unwiped sectors.
2. Identify media sanitization needs and methods in advance [Section 4.1]
The guide states that media sanitization needs and media types should be identified before reaching the disposal phase in the IT asset management lifecycle. The type of storage media is a fundamental factor in determining the right data destruction method and the overall sanitization duration. The guide recommends taking the help of storage hardware vendors to identify the storage media, typically documented in a “statement of volatility.” However, organizations need to exercise due diligence while reading the statements considering the vendor-specific variances in the provided details.
3. Identify the data confidentiality levels [Section 4]
NIST guideline mentions “data confidentiality level” as a crucial factor in supporting effective data destruction and decision-making. Further, it recommends maintaining a mapping of the type of data, based on its confidentiality level, stored on the devices to facilitate effective and efficient media sanitization. NIST emphasizes using the procedures described in Federal Information Processing Standard (FIPS) Publication 199 to determine the data confidentiality level.
4. Determine the security categorization [Section 4.2]
Security categorization is essentially a way to classify a system’s confidentiality based on the FIPS 199 definition in the NIST SP 800-60 Rev. 1. Security categorization provides a crucial input to the system owner for designing a media sanitization process that meets the organization’s needs and standards for data protection. NIST guidelines mention the need to revisit the security categorization, stating that “security categorization is revisited at least every three years (or when a significant change occurs within the system) and revalidated throughout the system’s life.”
5. Consider the media control and access aspect [Section 4.4]
The media sanitization decision is also influenced based on the entity having control over the outgoing storage media. The device ownership might change or remain the same based on specific circumstances, which should be considered while choosing a sanitization method. For example, media being sent out to a service provider or AMC for maintenance and upgrade is still owned and controlled by the organization based on the contract. So, the organization should consider the “chain of custody” risks and wipe the storage device before handing it over to a third party. In contrast, the media being exchanged or resold will renew the ownership and control in the hands of the new owner, such as a reseller. So, the organization should consider choosing a sanitization method like erasure to preserve the residual hardware value (reuse) while ensuring data destruction.
6. Verify the media sanitization and disposal process [Section 4.7]
NIST SP 800-88 guidelines recommend a stringent verification process for media sanitization. It determines two types of process verification, namely—
a) Whenever a device is sanitized and where the method allows verification
b) Representative sample verification on a subset of the media, ideally by people who were not part of the original sanitization program
The guidelines recommend verifying the equipment, personnel, and sanitization results for failsafe assurance.
7. Maintain a certificate of media disposition [Section 4.8]
The guideline emphasizes maintaining a documented certification for every unit of sanitized electronic media, particularly those containing sensitive and confidential data. It categorically mentions the importance of automatic documentation for facilitating access to the certifications (audit trails) for physical media. As per NIST media sanitization guidelines, the certificate should include hardware and process details such as Manufacturer, Model, Serial Number, Media Type, and Source, Sanitization Method, Tool Used and Version, Verification Details, etc.
Prominent Concern of NIST 800-88: Environmental, Confidentiality, and Compliance
NIST 800-88 guidelines define the processes that guide organizations to have adequate control over the information they possess and safeguard it through proper disposal of used and retired media. Though various techniques are employed to sanitize the media, two prominent factors that have been emphasized by NIST 800-88 are data confidentiality and environmental issues. Data sanitization techniques based on asset destruction are costly, generate massive e-waste, and are not suitable for all storage media types. In contrast, data erasure software guarantees media sanitization across all IT assets, including HDDs, SSDs, Servers, and more, and also retains the hardware for refurbished use.