Skip to main content
MAXICOM Malaysia · Since 2026 Sell IT
Home · Standards · IEEE 2883-2022
Standard · IEEE 2883

IEEE 2883-2022

IEEE Standard 2883-2022, published in 2022, is the current authoritative standard for sanitising solid-state storage — SSDs, NVMe drives, and self-encrypting drives based on NAND flash. It supersedes the older NIST SP 800-88 SSD guidance and corrects the longstanding error of treating solid-state media as if it were spinning disk. Maxicom applies IEEE 2883-2022 to every retiring SSD/NVMe drive in our pipeline; the firmware Sanitize command and its verification response are documented on every per-asset certificate.

Request a Quote Contact

Why SSDs cannot be reliably overwritten

SSDs use wear-levelling, over-provisioning, and bad-block remapping. A logical overwrite written to a particular Logical Block Address (LBA) does not necessarily overwrite the underlying flash cell — the controller may write to a fresh cell while the original retains the data. Multi-pass overwrite (DoD 5220.22-M, Gutmann) is therefore not appropriate for SSDs. The amount of "hidden" capacity in over-provisioning on enterprise SSDs is typically 7-28% of advertised capacity; data sitting in those reserved cells is invisible to logical-level overwrite. IEEE 2883-2022 was published specifically to address this.

The two Sanitize commands defined by IEEE 2883-2022

BLOCK ERASE — issues an erase to every flash cell on the drive, including over-provisioned regions. Returns the drive to factory state. Time-to-completion varies by capacity and controller: typically 30 seconds to several minutes for an enterprise SSD. The certificate captures the start and completion timestamps. CRYPTO ERASE — destroys the internal Media Encryption Key (MEK) used by the drive's self-encryption layer. Once the MEK is gone, all the encrypted ciphertext on the flash cells is unrecoverable in cryptographically-meaningful timescales (i.e. forever, for AES-256). Time-to-completion: microseconds. The certificate captures the encryption algorithm (typically AES-256-XTS for SED SSDs), the key destruction method, and the verification response.

Protocol-level Sanitize implementation

NVMe → NVMe Sanitize command (specification revision 1.3 onward). SAS SSD → SCSI Sanitize command. SATA SSD → ATA Sanitize command. Maxicom executes the protocol-appropriate command via vendor-supplied tooling (Dell, HPE, Samsung, Micron, Intel/Solidigm, Kioxia, WD, Seagate management utilities) and via vendor-neutral tooling (Parted Magic, hdparm with sanitize support, nvme-cli). The certificate names the tool used and the protocol command issued.

Verification per IEEE 2883-2022

IEEE 2883-2022 requires verification of Sanitize completion. Verification is the read-back of representative blocks confirming the original data is no longer present, plus capture of the controller-reported Sanitize status code confirming completion without errors. Maxicom captures both: the controller status response and a verification-block read-back. The certificate names both verification steps.

Where IEEE 2883-2022 fits relative to NIST 800-88 Rev. 1

NIST 800-88 Rev. 1 (2014) is the universal sanitisation framework; it directs to firmware-based methods for SSDs but predates the formal IEEE 2883 specification. IEEE 2883-2022 is the SSD-specific specification that formalises what NIST 800-88 Rev. 1 directed to. The two standards are compatible and complementary — NIST 800-88 Rev. 1 establishes the framework; IEEE 2883-2022 establishes the SSD-specific method. Maxicom certificates name both standards where applicable.

Regulator stack matrix: NIST, IEEE, NAID-grade, plus local privacy and sector regulators. Regulator stack — by region Every Maxicom certificate is admissible against the full stack simultaneously UNIVERSAL NIST SP 800-88 Rev. 1 · IEEE 2883-2022 · DoD 5220.22-M · NAID-grade Protocol 🇮🇳 INDIA INR · IST PRIVACY DPDPA 2023 BFSI RBI IT-Risk SECTOR-SPECIFIC SEBI · IRDAI · CERT-In · CPCB 🇨🇦 CANADA CAD · EST PRIVACY PIPEDA · Quebec Law 25 BFSI OSFI Guideline B-13 SECTOR-SPECIFIC PIPA (AB/BC) · PHIPA · ITSG-33 🇸🇬 SINGAPORE SGD · SGT PRIVACY PDPA Section 24 BFSI MAS TRM SECTOR-SPECIFIC IMDA · NEA Resource Sustainability Act 🇦🇪 UAE AED · GST PRIVACY UAE PDPL Article 21 BFSI Central Bank UAE SECTOR-SPECIFIC TDRA · DIFC DPL · ADGM · NESA
Reviewed by the Maxicom compliance desk. Last updated April 2026.
Operates to NIST 800-88 · PDPA Malaysia · BNM RMiT · NACSA · IEEE 2883-2022 · NAID-grade
References

مراجع موثوقة

Primary sources for the standards and frameworks referenced on this page. Maxicom maps every engagement to these recognised authorities.

Frequently asked questions

Frequently asked questions

What is the difference between Block Erase and Crypto Erase under IEEE 2883?

Block Erase issues an erase command to every flash cell — the data is physically erased. Time-to-completion: 30 seconds to several minutes. Crypto Erase destroys the Media Encryption Key — the data on flash is still there but encrypted under a destroyed key, so unrecoverable. Time-to-completion: microseconds. For drives that were operating with self-encryption enabled, both achieve the same end state; Crypto Erase is faster.

Is IEEE 2883-2022 mandatory, or just recommended?

It is the current authoritative standard for SSD sanitisation and is referenced by NIST 800-88 Rev. 1 as the firmware-based method. Most regulators in our markets accept IEEE 2883-2022 Sanitize as compliant under their SSD-specific rules. Where a contract specifies an older standard (DoD 5220 multi-pass overwrite for SSDs) we issue an exception note documenting why IEEE 2883 is being applied instead, with the data owner's acknowledgement.

Does IEEE 2883-2022 apply to memory-class devices like Optane PMem?

For Intel Optane Persistent Memory (3D XPoint based) operating in App Direct mode (data-bearing), the analogous Sanitize is via the Intel ipmctl tool. Optane PMem is not flash; technically outside IEEE 2883 scope but the principle is the same. We document on per-DIMM certificate.

What about USB flash drives and SD cards?

IEEE 2883-2022 applies in principle but consumer-grade flash storage frequently does not implement the firmware Sanitize command. For these devices NIST 800-88 Rev. 1 explicitly recommends Destroy rather than attempt Purge. Maxicom routes consumer flash to physical destruction.

How do I verify the Sanitize actually completed?

The drive controller returns a status code on Sanitize completion (NVMe: SANITIZE STATUS; SCSI: REQUEST SENSE; ATA: SANITIZE STATUS). Maxicom captures the status code on every certificate. Plus a representative-block read-back as a verification step.

What about emerging storage classes — CXL memory, computational storage drives?

IEEE 2883-2022 covers solid-state storage broadly; emerging classes are accommodated as the controller exposes Sanitize. For CSDs and CXL-attached storage we work to the device-specific firmware command set; the certificate names the device class and the sanitise method.

Explore further

Related practices, regulators & markets

Service

IT Asset Disposal (ITAD)

ITAD
Service

Data Destruction

Data destruction
Buyback

Dell Server Buyback

Dell server buyback
Buyback

HPE Server Buyback

HPE server buyback
Industry

Banking & Finance

Banking
Industry

Government & Public Sector

Government
Standard

NIST SP 800-88 Rev. 1

NIST 800-88
Standard

Certificates of Destruction

Certificates
Location

IT disposal in Kuala Lumpur

Kuala Lumpur

When you are ready

Send the asset list. We will send the number.

A photograph of the rack works. A spreadsheet works better. MYR settlement, against PO.

Sell IT — Start an RFQ — 90 seconds → Request a service WhatsApp [+60 phone TBD]
purchase@maxicomglobal.com · per engagement SLA