Understanding NIST 800-88: Clear, Purge, and Destroy Explained

With data breaches averaging US$4.4million in 2025, according to IBM’s Cost of a Data Breach Report, organizations continue to face escalating risks as storage technologies evolve and attack surfaces expand. This makes it more critical than ever to implement a watertight strategy for the safe handling and sanitization of your business’s data.

NIST SP 800-88 Revision 2 (r2), the latest update to the U.S. government’s media sanitization guidelines, introduces a modern, program-focused framework to ensure sensitive information is removed safely and consistently from information storage media (ISM) before reuse, resale, redeployment, or disposal. The updated standard, focused on enterprise program governance rather than standalone wipe actions, helps organizations meet legal, regulatory, and cybersecurity obligations while reducing the risk of residual data exposure.

It’s also business-critical to ensure that your assets are handled by a third party that adheres to a strict set of standards and has a process that ensures confidential information doesn’t reach unintended or inappropriate parties. Additional challenges to consider regarding data protection include country-specific requirements, economic viability, and your own legal requirements. NIST 800-88 is one of several sets of guidelines for the sanitization of data-bearing technology assets.

SK Tes supports organizations worldwide by delivering secure, standards-aligned media sanitization, wherever assets are located. SK Tes has been recognized by Gartner as the largest global ITAD vendor in the world, allowing us to deliver this service at unmatched levels of consistency. Contact us to discuss your requirements today.

Contents 

• What is media sanitization?
• What is NIST? 
• What is NIST 800-88? 
• What is meant by Clear, Purge, and Destroy? 
  • NIST Clear 
  • NIST Purge 
  • NIST Destroy 
• NIST 800-88 revision
  • Why were the guidelines updated? 
• Conclusion 

What is media sanitization?

Media sanitization is defined by NIST as:

“a process that renders access to target data on information storage media (ISM) infeasible for a given level of effort.”NIST SP 800-88 R2.

Under NIST SP 800-88 Revision 2 the focus shifts away from device-specific wipe techniques and toward a broader, program-driven, risk-based approach that ensures data confidentiality across all stages of the sanitization process. The new standard replaces all specific instructions with: ‘Refer to IEEE 2883 for technique selection.” Click here to find out more about the IEEE 2883-2022 data destruction standard.

Organizations generate vast amounts of data, including personal and sensitive data, standard business data (phone lists, marketing information, supplier data, etc.), confidential business data (business reports, financial and accounting documents, balance sheets, and annual financial statements), top secret business data (research and development of business enterprises), and banking information. This data may reside across a wide range of ISM types: HDDS, SSDs, flash media, mobile devices, servers, memory components, networking equipment, and even cloud or virtualized environments.  

Therefore, sanitization decisions must consider:

• What will the media be used for in the future? For example, a shredded device is permanently unusable, whereas Clear or Purge may allow reuse.

• How confidential is the data? Higher sensitivity typically requires Purge or Destroy.

• What storage medium is being sanitized? Device behaviour varies widely, particularly between magnetic and flash-based media.

NIST r2 reinforces that the security concern lies in the formation stored on the information storage media – not the device itself:

The information security concern surrounding media sanitization arises from the information stored on the ISM. Improper handling or disposal can lead to unauthorized disclosure. – NIST SP 800-88r2

What is NIST? 

The National Institute of Standards and Technology (NIST) is a physical science laboratory and a nonregulatory agency of the United States Department of Commerce. Founded in 1901, it has a long history of developing measurements, metrics, and standards that can be applied to the science and technology industries. This makes NIST the ideal institution for offering guidance on how organizations and their employees can properly handle confidential data stored on electronic devices. 

What is NIST 800-88?

NIST 800-88, also called NIST Special Publication 800-88 (NIST SP 800-88), Guidelines for Media Sanitization, is a U.S. government document providing robust methodological guidance for erasing data from storage media (media sanitization). Its objective is to ensure that any data found on storage media is irretrievable.  

Originally established for government use, NIST 800-88 guidelines are now widely adopted and recognized by governments and corporations alike as the best-in-class method for ensuring effective media sanitization.  

The NIST guidelines cover all types of storage media, including magnetic, flash-based, and other technologies, using the media sanitization techniques of Clear, Purge, and Destroy.  

Department of Defense (DoD) 5220.22

Prior to the publication of the NIST 800-88 guidelines, organizations typically used the U.S. Department of Defense (DoD) 5220m standard. This standard was originally created for the military and was later adopted by the public sector. Although it was considered a benchmark for many years and is still occasionally used worldwide, this standard has now been succeeded by NIST 800-88, as it was not designed to erase data from chip-based storage media like solid-state drives (SSDs), which are now so common. 

What is meant by Clear, Purge, and Destroy in electronic media sanitization? 

NIST uses the terms “Clear,” “Purge,” and “Destroy” as the three overarching sanitization methods. Under r2 these remain, but their definitions and expectations are updated, and the specific ‘techniques’ previously provided have been removed.

NIST Clear

Clear uses logical techniques to sanitize data found in all user-accessible storage locations, protecting against non-specialized attempts to recover data

• Level of data protection: Suitable against simple, non-invasive recovery techniques · Pros: The storage media can be reused, reducing e-waste, and many devices support some level of Clear sanitization.

• Cons: It does not address data found in hidden or inaccessible areas.

• Sustainability: Favorable outcomes, as assets can be reused (internally or externally, depending on the classification level of the overwritten data).

NIST Purge

Purge uses logical or physical processes (e.g. cryptographic erase or block erase per the guidance in the IEEE 2883 Standard) to protect against laboratory-level data recovery techniques, and is the preferred method where feasible.

• Level of data protection: Greater protection than Clear

• Pros: Supports reuse while providing robust sanitization

• Guidance: Under NIST 800-88 r2 Purge should be used instead of Clear whenever feasible

• Sustainability: Favorable outcomes, as assets can be reused, extending their lifespan.

NIST Destroy 

Destroy renders data bearing media unusable and makes data recovery infeasible. Physical destruction is still valid but must be appropriate to the ISM type, which is now defined in IEEE 2883, not NIST.

• Level of data protection: Prevents all data recovery

• Pros: It can be used when a medium is beyond overwriting methods due to its physical condition or when it contains highly confidential data.

• Cons: The media cannot be reused, may increase e-waste

• Sustainability: Limited (though materials may be recoverable through recycling)

• Important r2 update:

  • Degaussing is no longer recognized in NIST 800-88 r2 guidance

  • Shredding and pulverizing may not provide sufficient sanitization for modern information storage media such as SSDs unless particle size standards defined in IEEE 2883 are met

Download our guide below for more information and the recommended media sanitization process below. 

Download NIST 800-88 Guide

NIST Clear, Purge & Destroy compared and explained. Get access to  SK Tes recommended data sanitization process. 

Download the Guide

NIST 800-88 revision

The NIST 800-88 guidelines were originally published in 2006. The December 2014 update became NIST Special Publication 800-88 Revision 1 (NIST SP 800-88 Rev. 1) – long considered the industry gold standard.

In September 2025, NIST released Revision 2 (r2), modernizing the guidance for today’s distributed, virtual, encrypted, and cloud-enabled environments.

Why were the guidelines updated?

The Revision 2 update was driven by several factors:

• The widespread use of SSDs and non-magnetic ISM

• Increased adoption of encryption and cryptographic erase capabilities

• Growth of cloud and virtual storage environments

• Need for alignment with frameworks such as NIST SP 800-53 and ISO/IEC 27040

• A shift from device-specific instructions to a programmatic, verifiable sanitization model

• Recognition that many old techniques (e.g. degaussing) no longer apply to modern media

NIST SP 800-88r2 removes all sanitization techniques and instructs organizations to use IEEE 2883-2022 for approved sanitization processes.

Conclusion 

As NIST itself notes, improperly sanitized media can provide a rich illicit source of information. Organizations must ensure that when devices leave their control – whether for reuse, resale, or destruction – they do not jeopardize data privacy, security, or regulatory compliance.

Getting it wrong is not only financially costly but also harmful to your brand’s most important asset: its reputation.

SK Tes is also uniquely positioned to offer a full suite of services encompassing the entire lifecycle of technology assets, including managed deployment, IT asset disposition, data center decommissioning, and electronics recycling. These services are delivered through our own infrastructure and operated by our own staff, offering a secure chain of custody and peace of mind for your organization.