We use cookies on this website. By using this site, you agree that we may store and access cookies on your device Read More Got it!
logo
  • Home
  • Products
    • Secure Drive Wiping SoftwareSecurely Erase Data From HDDs & SSDs in PC, Mac & Server
    • Bulk Drive Erasure Over Network Erase Loose Drives, PC, Laptop & Servers Over A Network
    • Mobile Wiping & Diagnostics Software Erase & Diagnose iOS® & Android® Simultaneously
    • File Eraser SoftwarePermanently wipe files and folders, and erase traces of apps & Internet activity.
  • Solutions
    • Enterprise & SMBWipe hard drives, laptops, desktops, Mac® devices, mobile phones & rackmount storage.
    • Managed Service Provider & SIGlobally trusted data wiping & diagnostic solutions to augment your managed services competences
    • Government Attain Compliance by Securely Erasing Data on HDDs & SSDs in PC, Mac, Laptops, Servers & Mobile Devices.
    • ITAD & Refurbisher Bulk erase loose drives, laptops, desktops, Mac devices, rackmount storage & mobile devices with centralized control.
    • Individual & Home User Safeguard invasion of privacy at the time of disposing old PC, laptop & mobile phone
  • Resources
    • CertificationsBitRaser - Tested & certified by multiple International Bodies
    • Reports & Certficates Tamper proof erasure reports & certificates to help meet audit trails
    • Data Erasure StandardsGlobal erasure standards that help you comply to international laws & regulations
    • Technical Articles Series of articles to help understand data erasure & diagnostics
    • Product FactsheetExplore in-depth details of the features, benefits..
    • Deployment Get instructions on using BitRaser for wiping PC..
    • Case Studies Read Our Customer Case Studies Illustrating The Real-World Usage In Diverse Business Scenarios.
    • Frequently Asked Questions (FAQs) Our Top FAQs That Will Help You Get Answers To Your Questions.
    • Blog Gain Latest Insights Into Data Erasure, Data Protection, Privacy And Regulations.
  • Partners
  • Products

    CASE STUDIES

    The best way to know about our solution is to read our customer case studies illustrating the real-world usage in diverse business scenarios.

    Read All Case Studies

    • Secure Drive Wiping Software
      Securely Erase Data From HDDs & SSDs in PC, Mac & Server
    • Bulk Drive Erasure Over Network
      Erase Loose Drives, PC, Laptop & Servers Over A Network
    • Mobile Wiping & Diagnostics Software
      Erase & Diagnose iOS® & Android® Simultaneously
    • File Erasure Software
      Permanently Wipe Files & Folders, Erase Traces Of Apps & Internet Activity
  • Solutions

    BITRASER® DATA ERASURE SOFTWARE

    Efficient, Easy & Permanent Wiping Of Sensitive Data Across Storage Devices. Guaranteed Data Privacy.

    Learn More

    • Enterprise & SMB
      Wipe Hard Drives, Laptops, Desktops, Mac® Devices, Mobile Phones & Rackmount Storage.
    • Managed Service Provider & SI
      Globally Trusted Data Wiping & Diagnostic Solutions To Augment Your Managed Service Competences.
    • Government

      Attain Compliance by Securely Erasing Data on HDDs & SSDs in PC, Mac, Laptops, Servers & Mobile Devices.

    • ITAD & Refurbisher
      Bulk Erase Loose Drives, Laptops, Desktops, Mac Devices, Rackmount Storage & Mobile Devices.
    • Individual & Home User
      Safeguard Invasion Of Privacy At The Time Of Disposing Old PC, Laptop & Mobile Phone.
  • Resources
    • Product Certifications
      BitRaser - Tested & certified by multiple International Bodies
    • Sample Reports & Certificates
      Tamper proof erasure reports & certificates to help meet audit trails
    • Data Erasure Standards
      Global erasure standards that help you comply to international laws & regulations
    • Technical Articles
      Series of articles to help understand data erasure & diagnostics
    • Product Factsheets
      Explore in-depth details of the features, benefits and specifications of our variants.
    • Deployment
      Get Instructions On using BitRaser for wiping PC, Mac, hard drives, mobile devices & files.
    • Case Studies
      Read our customer case studies illustrating the real-world usage in diverse business scenarios.
    • Frequently Asked Questions (FAQs)
      Our Top FAQs That Will Help You Get Answers To Your Questions.
    • Blog
      Gain latest insights into data erasure, data protection, privacy and regulations.
  • Partners
  • +1-844-775-0101
  • Submit Enquiry

NIST SP 800-88 Guidelines for Media Sanitization

  • author image

    Written By Abhishek Jain linkdin

  • calender

    Updated on July 22, 2022

  • clock

    Min Reading 3 Min

The NIST SP 800-88 Guidelines for Media Sanitization, released by National Institute for Standards and Technology (NIST), are a set of instructions for effectively sanitizing storage devices and other electronic media. Widely adhered to by the U.S. government and corporates, these guidelines act as the benchmark for enterprises to drive their ‘media sanitization programs’, with defined techniques and control over sanitization and disposal decisions. NIST 800-88 assists every enterprise looking for assistance with decision-making for sanitization, disposal, reuse, or migration of media and information.

“The information security concern regarding information disposal & media sanitization resides not in the media but in the recorded information. The issue of media disposal & sanitization is driven by the information placed intentionally or unintentionally on the media. If not handled properly, release of these media could lead to an occurrence of unauthorized disclosure.”
-NIST SP 800-88 Revision 1

In this article, we will explore the NIST 800-88 guidelines, explain the core concerns of media sanitization, along with the NIST 800-88 best practices.

National Institute of Science and Technology (NIST), which provides technical leadership for the United States' measurement and standards infrastructure, defines media sanitization as:

"The general process of removing data from storage media, such that there is reasonable assurance that data may not be easily retrieved and reconstructed."

During the transfer or disposal of storage media, it is imperative that the deleted data from storage media (whether residual magnetic, optical, electrical or any other form) is not recoverable. Storage media sanitization refers to a process of removing data, with the assurance that the data cannot be retrieved or reconstructed. Media sanitization is crucial to maintain data privacy standards and smooth exercising of privacy controls. There have to be defined means and mechanisms to prevent sensitive information leakage across the IT-asset lifecycle.

What is the Need for Media Sanitization?

As per NIST 800-88 guidelines, media sanitization is a critical element to maintain data confidentiality. Organizations need to exercise proper control on 'confidential information' to avoid data leakage due to improper disposal of storage media or improperly wiped refurbished media. This practice is essential to protect data leakage of Personally Identifiable Information (PII) basis reference 2.3 of the NIST guidelines. Organizations are required to follow data protection laws, regulations, and mandates governing the management of PII. They may also have obligations to protect PII as per their policies, standards, or management directives. Violation of data protection laws can result in penalties or civil/criminal proceedings for the organizations.

What is the Scope of Media Sanitization?

NIST 800-88 guidelines for media sanitization & data protection state that the sanitization operation is to be performed on complete data stored on the media, as it may be difficult for media sanitizer to differentiate the sensitive data, in particular. Also, partial data sanitization is risky and not approved as per NIST 800-88 standard guidelines. For example, among the flash drives - SSDs, memory cards, and USBs, it is recommended to overwrite the data with agency-approved and certified data erasure techniques, methods & software. Alternate data sanitization methods as per NIST guideline table 5-1 include incineration, shredding, disintegrating, degaussing, and pulverizing. NIST 800-88 guidelines states that Solid-state drives (SSDs) cannot be purged by degaussing as these do not store data magnetically. Once the decision is made for media sanitization w.r.t media sanitization method, the type of media, and environmental impact consideration, the question arises as to who should be the decision-maker? Who will determine what, when, and how the data is to be sanitized?

Who is Responsible For Secure Data Disposal?

NIST 800-88 data security standard helps categorize and assign media sanitization roles and responsibilities as per the following:

  1.  The team of professionals – Chief Information Officer, Information System Owner, Information Owner, System Security Manager, Privacy Officer, & Users
  2.  Defining information decision guidelines as in PSUs, Government organizations, and IT Asset Disposition companies (ITADs)
  3. Determining and categorizing security as per compliances - SOX, HIPAA, PCI-DSS, and EU-GDPR, etc.

In the decision process of media sanitization, the confidentiality of the information plays a key role, whereas, the type of media plays a secondary role. Decision-makers decide upon the kind of sanitization on the basis of individual requirements. The decision for the safe disposal of leased or end-of-lifecycle IT assets is made to prevent data breach situations and meet legal compliances. Physical destruction methods are ruled out as they are not environment-friendly. Instead, media sanitization using data erasure software is preferred by decision-makers.

Control & Reuse of Media

NIST 800-88 Guidelines for media sanitization define that the IT asset should be disposed of via a process flow using appropriate roles and responsibilities, and the organization must maintain different levels of security based upon the data confidentiality level. Along with the risk-based decision of sanitizing media, the organization should also consider the following –

  •  Consequences of information retrieval from sanitized media
  •  Costs involved in sanitization and its efficacy
  •  Risk factor for the duration for which the data remains sensitive

Media Sanitization Techniques & Methods

Commonly used media sanitization methods are data erasure, degaussing, shredding, factory resets, data deletion, reformatting, and physical destruction.

  • Techniques like shredding, factory resets, data deletion, and reformatting are incomplete methods of media sanitization and can leave traces of data behind. Read More
  • Degaussing eliminates the magnetic field from the storage devices, thus rendering the data available on these devices unrecoverable.
  • Data erasure uses overwriting technique of overwriting the media with zeroes and ones to destroy the available data on storage media; rendering the media usable for future use. You may like to read the use of NIST 800-88 standard for data erasure.

Media Sanitization Methods as per NIST 800-88 Guidelines

NIST guidelines specify the media sanitization techniques vis-à-vis the type of data storage media, including magnetic storage, flash memory-based media, RAM and ROM-based storage devices, etc. The below table summarizes the recommended “minimum sanitization” needs for different storage media types against the specific techniques (or methods), as follows:

Media Type

Clear

Purge

Destroy

Floppy Disks, Disk Drives

Overwrite using agency-approved software

Degauss in an NSA/CSS-approved degausser.

Incinerate, Shred

ATA Hard drives, SCSI Drives

Overwrite using agency-approved software

Secure Erase, Degauss, or Disassemble and degauss the enclosed platters.

Incinerate, Shred, Pulverize Disintegrate

CDs/DVDs

N/A

N/A

- Remove information using an optical disc grinding device
- Incinerate using a licensed facility
 - Use Optical disk media shredder

Flash Media – USBs, Memory Cards, SSDs

Overwrite using agency-approved software

Secure data erasure

Incinerate Shred Pulverize Disintegrate


NIST SP 800-88 Best Practices for Media Sanitization

This section outlines the media sanitization best practices based on NIST SP 800-88 recommendations, as follows:

1. Consider the risks of partial media sanitization [Section 2.8]

Typically, organizations sanitize the complete data stored on a media, i.e., perform full sanitization. However, some situations might require only partial media sanitization. For example, adherence to modern data privacy regulations might require an organization to retain data of it’s new customers but is mandated to erase the data of it's churned customers. NIST SP 800-88 guideline cautions on the potential risks of partial media sanitization due to its technical challenges and risks such as spillover of sensitive data on the drive’s unwiped sectors.

2. Identify media sanitization needs and methods in advance [Section 4.1]

The guide states that media sanitization needs and media types should be identified before reaching the disposal phase in the IT asset management lifecycle. The type of storage media is a fundamental factor in determining the right data destruction method and the overall sanitization duration. The guide recommends taking the help of storage hardware vendors to identify the storage media, typically documented in a “statement of volatility.” However, organizations need to exercise due diligence while reading the statements considering the vendor-specific variances in the provided details.

3. Identify the data confidentiality levels [Section 4]

NIST guideline mentions “data confidentiality level” as a crucial factor in supporting effective data destruction and decision-making. Further, it recommends maintaining a mapping of the type of data, based on its confidentiality level, stored on the devices to facilitate effective and efficient media sanitization. NIST emphasizes using the procedures described in Federal Information Processing Standard (FIPS) Publication 199 to determine the data confidentiality level.

4. Determine the security categorization [Section 4.2]

Security categorization is essentially a way to classify a system’s confidentiality based on the FIPS 199 definition in the NIST SP 800-60 Rev. 1. Security categorization provides a crucial input to the system owner for designing a media sanitization process that meets the organization’s needs and standards for data protection. NIST guidelines mention the need to revisit the security categorization, stating that “security categorization is revisited at least every three years (or when a significant change occurs within the system) and revalidated throughout the system’s life.”

5. Consider the media control and access aspect [Section 4.4]

The media sanitization decision is also influenced based on the entity having control over the outgoing storage media. The device ownership might change or remain the same based on the specific circumstances, which should be considered while choosing a sanitization method. For example, media being sent out to a service provider or AMC for maintenance and upgrade is still owned and controlled by the organization based on the contract. So, the organization should consider the “chain of custody” risks and wipe the storage device before handing it over to a third-party. In contrast, the media being exchanged or resold will renew the ownership and control in the hands of the new owner, such as a reseller. So, the organization should consider choosing a sanitization method like erasure to preserve the residual hardware value (reuse) while ensuring data destruction.

6. Verify the media sanitization and disposal process [Section 4.7]

NIST SP 800-88 guidelines recommend a stringent verification process for media sanitization. It determines two types of process verification, namely—

a) Whenever a device is sanitized and where the method allows verification

b) Representative sample verification on a subset of the media, ideally by people who were not part of the original sanitization program

The guidelines recommend verifying the equipment, personnel, and sanitization results for failsafe assurance.

7. Maintain a certificate of media disposition [Section 4.8]

The guideline emphasizes maintaining a documented certification for every unit of sanitized electronic media, particularly those containing sensitive and confidential data. It categorically mentions the importance of automatic documentation for facilitating access to the certifications (audit trails) for physical media. As per NIST media sanitization guidelines, the certificate should include hardware and process details such as Manufacturer, Model, Serial Number, Media Type, and Source, Sanitization Method, Tool Used and Version, Verification Details, etc.

Conclusion:

Prominent Concern of NIST 800-88: Environmental, Confidentiality, and Compliance

NIST 800-88 guidelines define the processes that guide organizations to have adequate control over the information they possess and safeguard it through proper disposal of used and retired media. Though various techniques are employed to sanitize the media, two prominent factors that have been emphasized by NIST 800-88 are data confidentiality and environmental issues. Data sanitization techniques based on asset destruction are costly, generate massive e-waste, and are not suitable for all storage media types. In contrast, data erasure software guarantees media sanitization across all IT assets, including HDDs, SSDs, Servers, and more, and also retains the hardware for refurbished use.

FAQs

What is the NIST 800-88 standard?
The NIST SP 800-88 standard is a set of instructions for effectively sanitizing storage devices and other electronic media. These guidelines were released by National Institute for Standards and Technology (NIST).
What is the Need for Media Sanitization?
Media sanitization is a critical element in maintaining data confidentiality. Organizations are required to perform media sanitization in order to adhere to data protection laws, regulations, and mandates governing the management of PII to avoid data leakage.
What are the media sanitization methods prescribed by NIST?
NIST prescribes Clear, Purge, and Destroy as their media sanitization methods for wiping drives and devices securely basis the media type.
What are the best practices for media sanitization?
The media sanitization best practices based on NIST SP 800-88 recommendations are as follows:
  • Consider the risks of partial media sanitization
  • Identify media sanitization needs and methods in advance
  • Identify the data confidentiality levels
  • Determine the security categorization
  • Consider the media control and access aspect
  • Verify the media sanitization and disposal process
  • Maintain a certificate of media disposition
As per NIST, who is responsible for secure data disposal in any organization?
NIST recommends defining roles and responsibilities for secure data disposal in any organization. The team of professionals – Chief Information Officer, Information System Owner, Information Owner, System Security Manager, Privacy Officer, & Users, are all responsible for secure data disposal at their levels.

BitRaser is NIST Certified

See All Certifications

Related Articles

What Is Data Wiping & Why Is It Essential Now More Than Ever?

Dec 02, 2021

Data Destruction Techniques

Jan 18, 2021

How Permanent Media Sanitization Helps in CMMC Compliance?

July 18, 2022


REACH US

Stellar Data Recovery Inc.

48 Bridge Street Metuchen, New Jersey 08840, United States

Call Us

+1-844-775-0101

Email Us

sales@bitraser.com

Follow Us

linkedin youtube

Useful Links

  • About Us
  • Legal Policy
  • Privacy Policy
  • Cookies Policy
  • Sitemap

NEWS AND EVENTS

  • News & Press Release
  • Events

PARTNERS

  • Our Partnership Models
  • Reseller
  • Distributor
  • OEM
  • ITAD

RESOURCES

  • Knowledge Series
  • Technical Articles
  • Knowledge Base
  • Blogs
  • Reports & Certificates
  • Download Brochure
  • Deployment
  • Product FactSheets
  • Case Studies
  • Our Clients
  • Residual Data Study

BitRaser® & Stellar Data Recovery are Registered Trademarks of Stellar Information Technology Pvt. Ltd. © Copyright 2023 Stellar Information Technology Pvt. Ltd. All Trademarks Acknowledged.

ISO Certified
NAID VENDOR
ERN VENDOR

Submit Enquiry

Submit Enquiry

Usage*:     Business   Personal
GkSvm

I understand that the above information is protected by Stellar's Privacy Policy.

FdYiu

I understand that the above information is protected by Stellar's Privacy Policy.

Modal body..
24 Internationally Recognized Erasure Standards
NIST Clear
NIST-ATA Purge
US Department of Defense, DoD 5220.22-M (3 passes)
US Department of Defense, DoD 5200.22-M (ECE) (7 passes)
US Department of Defense, DoD 5200.28-STD (7 passes)
Russian Standard – GOST-R-50739-95 (2 passes)
B.Schneier’s algorithm (7 passes)
German Standard VSITR (7 passes)
Peter Gutmann (35 passes)
US Army AR 380-19 (3 passes)
North Atlantic Treaty Organization-NATO Standard (7 passes)
US Air Force AFSSI 5020 (3 passes)
Pfitzner algorithm (33 passes)
Canadian RCMP TSSIT OPS-II (4 passes)
British HMG IS5 (3 passes)
Zeroes
Pseudo-random
Pseudo-random & Zeroes (2 passes)
Random Random Zero (6 passes)
British HMG IS5 Baseline standard 
NAVSO P-5239-26 (3 passes) 
NCSG-TG-025 (3 passes)  
5 Customized Algorithms & more

Listening...