NIST SP 800-88 Rev. 1

The three sanitisation levels

CLEAR — applies logical techniques (typically a single-pass overwrite of all addressable storage locations) to defeat keyboard- and software-recovery attacks. Acceptable for low-classification data being redeployed within the same security boundary. Limitations: does not defeat laboratory-level recovery; not appropriate for SSDs with over-provisioned cells. PURGE — applies physical or logical techniques that defeat state-of-the-art laboratory attacks. For HDDs, this is multi-pass firmware-verified overwrite with cryptographic verification. For SSDs and NVMe, Purge is achieved via the IEEE 2883 firmware Sanitize command (Block Erase or Crypto Erase). For self-encrypting drives, Cryptographic Erase qualifies. Purge is the default level for retired enterprise media being remarketed under Reuse-First. DESTROY — physically destroys the storage medium so that data recovery is technically impossible. Methods: shredding to 6mm / 2mm / 0.5mm particle size, disintegration, incineration (where licensed), pulverisation. Reserved for top-classified data, non-functional media that cannot be Purged, encryption key stores, and where the data owner or regulator mandates it.

Method-by-media decision matrix

HDD (working) → Purge via multi-pass overwrite, firmware-verified, cryptographic verification. HDD (top-classified or non-functional) → Destroy via 6mm or 2mm shred. SSD/NVMe (working) → Purge via IEEE 2883-2022 firmware Sanitize (Block Erase or Crypto Erase). SSD/NVMe (top-classified or failed) → Destroy via 0.5mm disintegration or 2mm shred. Self-encrypting drive (SED) → Purge via Cryptographic Erase (key destruction). LTO/DLT magnetic tape → Purge via degaussing at ≥1.4 Tesla, then physical deformation. Optical media → Destroy via shredding or pulverisation (degaussing is not effective). Smartphone/tablet → Cryptographic Erase via factory reset on hardware-encrypted devices. AI accelerator on-board memory → Cryptographic Erase via management software stack. USB flash, SD card → Destroy (NIST notes consumer flash cannot be reliably Purged).

Verification — the often-missed requirement

NIST 800-88 Rev. 1 requires verification of sanitisation, not just execution. Verification is the post-sanitisation step that confirms the method achieved the intended outcome — for Purge, this is typically a read-back of representative storage locations confirming the original data is no longer present; for Destroy, it is photographic and documentary evidence of the residual particle size or post-degauss state. Maxicom captures verification responses on every per-asset certificate. Vendors that skip verification produce certificates that fail audit on the verification field.

How the Maxicom certificate maps to NIST 800-88 Rev. 1

Per asset, the certificate names: (1) the sanitisation level applied (Clear / Purge / Destroy); (2) the specific technique within that level (multi-pass overwrite / IEEE 2883 Sanitize / 6mm shred / etc.); (3) the tool name and version (or the standard the operator followed); (4) the verification step performed; (5) the operator name and ID; (6) the UTC timestamp; (7) the witness signature where applicable. This structure is admissible against NIST 800-88 Rev. 1 audit in every market we serve.

Where NIST 800-88 Rev. 1 sits relative to other standards

Above DoD 5220.22-M (which NIST superseded for civilian use in 2006) — though DoD 5220 remains contractually required in some U.S. federal procurement. Above the older NIST SP 800-88 (2006 original) — Revision 1 (2014) clarified the SSD guidance and is the version auditors expect today. Compatible with — and referenced by — IEEE 2883-2022 (which extends the SSD-specific guidance). Compatible with NAID-grade Protocol for the operational-discipline layer. Mapped against ISO/IEC 27040 (storage security) for international parity.