NIST 800-88 Got Updated and Nobody Told You

If you're reading this, there's a reasonable chance that your data sanitisation process is based on a version of NIST 800-88 that was written when most laptops still had spinning hard drives. That's not an insult — it's a statement about how fast storage technology moves and how slowly compliance processes update.

The 2025 revision to NIST SP 800-88 (Guidelines for Media Sanitization) didn't change the fundamental framework. Clear, Purge, and Destroy are still the three categories. The hierarchy is the same. The logic is the same. What changed is the detail — and in compliance, the detail is where you either pass or fail.

What Actually Changed

Modern storage media guidance: The original standard was written for HDDs. The revision acknowledges that SSDs, NVMe drives, embedded storage, and controller-based architectures don't respond to the same sanitisation methods. An SSD that's been "overwritten" using HDD techniques may still retain data in over-provisioned cells. The revision addresses this explicitly.

Verification requirements: "We wiped it" is not enough. The revision strengthens the expectation that sanitisation is verified — that after the purge or clear operation completes, a verification step confirms the data is actually gone. This sounds obvious. In practice, many operations skip verification because the erasure software says "complete" and everyone assumes that means "verified." It doesn't. Completion and verification are different steps.

Per-media documentation: The emphasis on per-device documentation has been refined to per-media documentation. A device with two storage devices needs two sanitisation records. This aligns with IEEE 2883-2022 and addresses the "laptop with two SSDs" problem that many operations haven't solved (see: earlier article, uncomfortable silences).

Audit trail requirements: The revision places greater emphasis on auditability. Verifiable logs, automation, documented controls. The expectation is that you can demonstrate not just that sanitisation happened, but that it happened according to your defined process, by an authorised person, using an approved method, with verified results.

The 2025 NIST revision doesn't change what you should be doing. It changes what you have to prove you're doing. And for many operations, that's a bigger shift than it sounds.

IEEE 2883-2022: The Standard Nobody Talks About

While everyone is focused on NIST 800-88, there's a companion standard that deserves attention: IEEE 2883-2022 (Standard for Sanitizing Storage). This standard refines and extends the NIST model specifically for modern storage devices.

What IEEE 2883 adds:

Technology-specific methods. NIST gives you categories (Clear, Purge, Destroy). IEEE 2883 gives you specific methods for specific media types. NVMe drives get their own sanitisation commands. SATA SSDs get theirs. Embedded storage gets separate treatment. The days of "one method fits all" are over.

Manufacturer-supported commands. The standard emphasises using the storage device's own sanitisation commands rather than software-based overwrite methods. For NVMe drives, this means using the Format NVM or Sanitize command rather than writing zeros. This is important because software-based methods can miss over-provisioned areas that the drive's firmware knows about but the host system doesn't.

Sustainable outcomes. IEEE 2883 explicitly encourages reuse and recycling when consistent with security requirements. Destroy is the last resort, not the default. This aligns with the circular economy push in ITAD and means that properly purged devices can re-enter the market with confidence.

What This Means for Your Process

If your sanitisation process looks like "run the erasure software, check the box, move on," you have gaps. Not necessarily big ones. But the kind that show up in audits and cost time to remediate.

Start with the basics. Can you answer these questions for every data-bearing device you process?

What sanitisation method was used? Was it appropriate for the media type? Was the result verified independently? Is the verification documented? Can you trace it per storage device, not just per machine? Is the process documented and auditable? Is the person who performed it trained and authorised?

If you answered "yes" to all of them with confidence, you're ahead of the curve. If you answered "probably" or "I think so" to any of them, the 2025 revision just moved the bar to where your current process has cracks.

---

NIST 800-88 got updated. IEEE 2883 exists. The standards are catching up to the technology. The question is whether your process is catching up to the standards. Because your auditor is definitely reading the new revision. Probably has been since it was published. And they have questions.