1.1 Purpose and Scope
The information security concern regarding information disposal and media sanitization resides not in the media but in the recorded information. The issue of media disposal and sanitization is driven by the information placed intentionally or unintentionally on the media. Electronic media used on a system should be assumed to contain information commensurate with the security categorization of the system’s confidentiality. If not handled properly, release of these media could lead to an occurrence of unauthorized disclosure of information. Categorization of an information technology (IT) system in accordance with Federal Information Processing Standard
(FIPS) 199, Standards for Security Categorization of Federal Information and Information
Systems1
, is the critical first step in understanding and managing system information and media.
Based on the results of categorization, the system owner should refer to NIST Special
Publication (SP) 800-53 Revision 4, Security and Privacy Controls for Federal Information
Systems and Organizations2
, which specifies that “the organization sanitizes information system digital media using approved equipment, techniques, and procedures. The organization tracks, documents, and verifies media sanitization and destruction actions and periodically tests sanitization equipment/procedures to ensure correct performance. The organization sanitizes or destroys information system digital media before its disposal or release for reuse outside the organization, to prevent unauthorized individuals from gaining access to and using the information contained on the media.”
This document will assist organizations in implementing a media sanitization program with proper and applicable techniques and controls for sanitization and disposal decisions, considering the security categorization of the associated system’s confidentiality.
The objective of this special publication is to assist with decision making when media require disposal, reuse, or will be leaving the effective control of an organization. Organizations should develop and use local policies and procedures in conjunction with this guide to make effective, risk-based decisions on the ultimate sanitization and/or disposition of media and information.
The information in this guide is best applied in the context of current technology and applications. It also provides guidance for information disposition, sanitization, and control decisions to be made throughout the system life cycle. Forms of media exist that are not addressed by this guide, and media are yet to be developed and deployed that are not covered by this guide. In those cases, the intent of this guide outlined in the procedures section applies to all forms of media based on the evaluated security categorization of the system’s confidentiality according to FIPS 199.
1 Federal Information Processing Standards (FIPS) Publication 199 Standards for Security Categorization of Federal
Information and Information Systems, February 2004, 13 pp. http://csrc.nist.gov/publications/PubsFIPS.html#199.
2 NIST Special Publication (SP) 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and
Organizations, April 2013 (includes updates as of January 15, 2014), 460 pp. http://dx.doi.org/10.6028/NIST.SP.800-53r4.
1

NIST SP 800-88 Rev. 1 Guidelines for Media Sanitization
Before any media are sanitized, system owners are strongly advised to consult with designated officials with privacy responsibilities (e.g., Privacy Officers), Freedom of Information Act
(FOIA) officers, and the local records retention office. This consultation is to ensure compliance with record retention regulations and requirements in the Federal Records Act. In addition, organizational management should also be consulted to ensure that historical information is captured and maintained where required by business needs. This should be ongoing, as controls may have to be adjusted as the system and its environment changes.
1.2 Audience
Protecting the confidentiality of information should be a concern for everyone, from federal agencies and businesses to home users. Recognizing that interconnections and information exchange are critical in the delivery of government services, this guide can be used to assist in deciding what processes to use for sanitization or disposal.
1.3 Assumptions
The premise of this guide is that organizations are able to correctly identify the appropriate information categories, confidentiality impact levels, and location of the information. Ideally, this activity is accomplished in the earliest phase of the system life cycle.3 This critical initial step is outside the scope of this document, but without this identification, the organization will, in all likelihood, lose control of some media containing sensitive information.
This guide does not claim to cover all possible media that an organization could use to store information, nor does it attempt to forecast the future media that may be developed during the effective life of this guide. Users are expected to make sanitization and disposal decisions based on the security categorization of the information contained on the media.
1.4 Relationship to Other NIST Documents
The following NIST documents, including FIPS and Special Publications, are directly related to this document:
 FIPS 199 and NIST SP 800-60 Revision 1, Guide for Mapping Types of Information and
Information Systems to Security Categories4
, provide guidance for establishing the security categorization for a system’s confidentiality. This categorization will impact the level of assurance an organization should require in making sanitization decisions.
3 NIST SP 800-64 Revision 2, Security Considerations in the Systems Development Life Cycle, October 2008, 67 pp. http://csrc.nist.gov/publications/PubsSPs.html#800-64. 4 NIST SP 800-60 Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories,
August 2008, 2 vols. http://csrc.nist.gov/publications/PubsSPs.html#800-60.
2

NIST SP 800-88 Rev. 1 Guidelines for Media Sanitization
 FIPS 200, Minimum Security Requirements for Federal Information and Information
Systems5
, sets a base of security requirements that requires organizations to have a media sanitization program.
 FIPS 140-2, Security Requirements for Cryptographic Modules6
, establishes a standard for cryptographic modules used by the U.S. Government.
 NIST SP 800-53 Revision 4 provides minimum recommended security controls, including sanitization, for Federal systems based on their overall system security categorization.  NIST SP 800-53A Revision 1, Guide for Assessing the Security Controls in Federal
Information Systems and Organizations: Building Effective Security Assessment Plans7
,
provides guidance for assessing security controls, including sanitization, for federal systems based on their overall system security categorization.
 NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices8
,
provides guidance for selecting and using storage encryption technologies.
 NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable
Information (PII)9
, provides guidance for protecting the confidentiality of personally identifiable information in information systems.
1.5 Document Structure
The guide is divided into the following sections and appendices:
 Section 1 (this section) explains the authority, purpose and scope, audience, assumptions of the document, relationships to other documents, and outlines its structure.
 Section 2 presents an overview of the need for sanitization and the basic types of information, sanitization, and media.
5 FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, March 2006, 17 pp. http://csrc.nist.gov/publications/PubsFIPS.html#200. 6 FIPS 140-2, Security Requirements for Cryptographic Modules, May 25, 2001 (includes change notices through December 3,
2002), 69 pp. http://csrc.nist.gov/publications/PubsFIPS.html#140-2.
7 NIST SP 800-53A Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations:
Building Effective Security Assessment Plans, June 2010, 399 pp. http://csrc.nist.gov/publications/PubsSPs.html#800-53A.
8 NIST SP 800-111, Guide to Storage Encryption Technologies for End User Devices, November 2007, 40 pp. http://csrc.nist.gov/publications/PubsSPs.html#800-111. 9 NIST SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII), April 2010, 59 pp. http://csrc.nist.gov/publications/PubsSPs.html#800-122. 3 NIST SP 800-88 Rev. 1 Guidelines for Media Sanitization
 Section 3 provides an overview of relevant roles and responsibilities for the management of data throughout its lifecycle.
 Section 4 provides the user with a process flow to assist with sanitization decision making.  Section 5 summarizes some general sanitization techniques.
 Appendix A specifies the minimum recommended sanitization techniques to Clear,
Purge, or Destroy various media. This appendix is used with the decision flow chart provided in Section 4.
 Appendix B defines terms used in this guide.
 Appendix C lists tools and external resources that can assist with media sanitization.
 Appendix D contains considerations for selecting a storage device implementing
Cryptographic Erase.
 Appendix E identifies a set of device-specific characteristics of interest that users should request from storage device vendors.
 Appendix F contains a bibliography of sources and correspondence that was essential in developing this guide.
 Appendix G provides a sample certificate of sanitization form for documenting an organization’s sanitization activities.
4
NIST SP 800-88 Rev. 1 Guidelines for Media Sanitization
2 Background
Information disposition and sanitization decisions occur throughout the information system life cycle. Critical factors affecting information disposition and media sanitization are decided at the start of a system’s development. The initial system requirements should include hardware and software specifications as well as interconnections and data flow documents that will assist the system owner in identifying the types of media used in the system. Some storage devices support enhanced commands for sanitization, which may make sanitization easier, faster, and/or more effective. The decision may be even more fundamental, because effective sanitization procedures may not yet have been determined for emerging media types. Without an effective command or interface-based sanitization technique, the only option left may be to destroy the media. In that event, the media cannot be reused by other organizations that might otherwise have been able to benefit from receiving the repurposed storage device.
A determination should be made during the requirements phase about what other types of media will be used to create, capture, or transfer information used by the system. This analysis, balancing business needs and risk to confidentiality, will formalize the media that will be considered for the system to conform to FIPS 200.
Media sanitization and information disposition activity is usually most intense during the disposal phase of the system life cycle. However, throughout the life of an information system, many types of media, containing data, will be transferred outside the positive control of the organization. This activity may be for maintenance reasons, system upgrades, or during a configuration update.
2.1 Need for Proper Media Sanitization and Information Disposition
Media sanitization is one key element in assuring confidentiality. Confidentiality is defined as
“preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…”10 Additionally, “a loss of confidentiality is the unauthorized disclosure of information.”11
In order for organizations to have appropriate controls on the information they are responsible for safeguarding, they must properly safeguard used media. An often rich source of illicit information collection is either through dumpster diving for improperly disposed hard copy media, acquisition of improperly sanitized electronic media, or through keyboard and laboratory reconstruction of media sanitized in a manner not commensurate with the confidentiality of its information. Media flows in and out of organizational control through recycle bins in paper form, out to vendors for equipment repairs, and hot swapped into other systems in response to hardware or software failures. This potential vulnerability can be mitigated through proper understanding of where information is located, what that information is, and how to protect it.
10 “Definitions,” Title 44 U.S.Code, Sec. 3542. 2006 ed. Supp. 5. Available: http://www.gpo.gov/; accessed 7/21/2014.
11 FIPS 199, p.2.
5

NIST SP 800-88 Rev. 1 Guidelines for Media Sanitization
2.2 Types of Media
There are two primary types of media in common use:
 Hard Copy. Hard copy media are physical representations of information, most often associated with paper printouts. However, printer and facsimile ribbons, drums, and platens are all examples of hard copy media. The supplies associated with producing paper printouts are often the most uncontrolled. Hard copy materials containing sensitive data that leave an organization without effective sanitization expose a significant vulnerability to “dumpster divers” and overcurious employees, risking unwanted information disclosures.
 Electronic (i.e., “soft copy”). Electronic media are devices containing bits and bytes such as hard drives, random access memory (RAM), read-only memory (ROM), disks, flash memory, memory devices, phones, mobile computing devices, networking devices, office equipment, and many other types listed in Appendix A.
In the future, organizations will be using media types not specifically addressed by this guide.
The processes described in this document should guide media sanitization decision making regardless of the type of media in use. To effectively use this guide for all media types, organizations and individuals should focus on the information that could possibly have been recorded on the media, rather than on the media itself.
2.3 Trends in Data Storage Media
Historical efforts to sanitize magnetic media have benefitted from the wide use of a single common type of storage medium implemented relatively similarly across vendors and models.
The storage capacity of magnetic media has increased at a relatively constant rate and vendors have modified the technology as necessary to achieve higher capacities. As the technology approaches the superparamagnetic limit, or the limit at which magnetic state can be changed with existing media and recording approaches, additional new approaches and technologies will be necessary in order for storage vendors to produce higher capacity devices.
Alternative technologies such as flash memory-based storage devices, or Solid State Drives
(SSDs), have also become prevalent due to falling costs, higher performance, and shock resistance. SSDs have already begun changing the norm in storage technology, and—at least from a sanitization perspective—the change is revolutionary (as opposed to evolutionary).
Degaussing, a fundamental way to sanitize magnetic media, no longer applies in most cases for flash memory-based devices. Evolutionary changes in magnetic media will also have potential impacts on sanitization. New storage technologies, and even variations of magnetic storage, that are dramatically different from legacy magnetic media will clearly require sanitization research and require a reinvestigation of sanitization procedures to ensure efficacy.
Both revolutionary and evolutionary changes make sanitization decisions more difficult, as the storage device may not clearly indicate what type of media is used for data storage. The burden falls on the user to accurately determine the media type and apply the associated sanitization procedure. 6
NIST SP 800-88 Rev. 1 Guidelines for Media Sanitization
2.4 Trends in Sanitization
For storage devices containing magnetic media, a single overwrite pass with a fixed pattern such as binary zeros typically hinders recovery of data even if state of the art laboratory techniques are applied to attempt to retrieve the data. One major drawback of relying solely upon the native
Read and Write interface for performing the overwrite procedure is that areas not currently mapped to active Logical Block Addressing (LBA) addresses (e.g., defect areas and currently unallocated space) are not addressed. Dedicated sanitize commands support addressing these areas more effectively. The use of such commands results in a tradeoff because although they should more thoroughly address all areas of the media, using these commands also requires trust and assurance from the vendor that the commands have been implemented as expected.
Users who have become accustomed to relying upon overwrite techniques on magnetic media and who have continued to apply these techniques as media types evolved (such as to flash memory-based devices) may be exposing their data to increased risk of unintentional disclosure.
Although the host interface (e.g. Advanced Technology Attachment (ATA) or Small Computer
System Interface (SCSI)) may be the same (or very similar) across devices with varying underlying media types, it is critical that the sanitization techniques are carefully matched to the media. Destructive techniques for some media types may become more difficult or impossible to apply in the future. Traditional techniques such as degaussing (for magnetic media) become more complicated as magnetic media evolves, because some emerging variations of magnetic recording technologies incorporate media with higher coercivity (magnetic force). As a result, existing degaussers may not have sufficient force to effectively degauss such media.
Applying destructive techniques to electronic storage media (e.g., flash memory) is also becoming more challenging, as the necessary particle size for commonly applied grinding techniques goes down proportionally to any increases in flash memory storage density. Flash memory chips already present challenges with occasional damage to grinders due to the hardness of the component materials, and this problem will get worse as grinders attempt to grind the chips into even smaller pieces.
Cryptographic Erase (CE), as described in Section 2.6, is an emerging sanitization technique that can be used in some situations when data is encrypted as it is stored on media. With CE, media sanitization is performed by sanitizing the cryptographic keys used to encrypt the data, as opposed to sanitizing the storage locations on media containing the encrypted data itself. CE techniques are typically capable of sanitizing media very quickly and could support partial sanitization, a technique where a subset of storage media is sanitization. Partial sanitization, sometimes referred to as selective sanitization, has potential applications in cloud computing and mobile devices. However, operational use of CE today presents some challenges. In some cases, it may be difficult to verify that CE has effectively sanitized media. This challenge, and possible approaches, is described in Section 4.7.3. If verification cannot be performed, organizations should use alternative sanitization methods that can be verified, or use CE in combination with a sanitization technique that can be verified.
A list of device-specific characteristics of interest for the application of sanitization techniques is
7
NIST SP 800-88 Rev. 1 Guidelines for Media Sanitization included in Appendix E. These characteristics can be used to drive the types of questions that media users should ask vendors, but ideally this information would be made readily available by vendors so that it can be easily retrieved by users to facilitate informed risk based sanitization decisions. For example, knowing the coercivity of the media can help a user decide whether or not the available degausser(s) can effectively degauss the media.
2.5 Types of Sanitization
Regarding sanitization, the principal concern is ensuring that data is not unintentionally released.
Data is stored on media, which is connected to a system. This guidance focuses on the media sanitization component, which is simply data sanitization applied to a representation of the data as stored on a specific media type. Other potential concern areas exist as part of the system, such as for monitors, which may have sensitive data burned into the screen. Sensitive data stored in areas of the system other than storage media (such as on monitor screens) are not addressed by this document.
When media is repurposed or reaches end of life, the organization executes the system life cycle sanitization decision for the information on the media. For example, a mass-produced commercial software program contained on a DVD in an unopened package is unlikely to contain confidential data. Therefore, the decision may be made to simply dispose of the media without applying any sanitization technique. Alternatively, an organization is substantially more likely to decide that a hard drive from a system that processed PII needs sanitization prior to
Disposal.
Disposal without sanitization should be considered only if information disclosure would have no impact on organizational mission, would not result in damage to organizational assets, and would not result in financial loss or harm to any individuals.
The security categorization of the information, along with internal environmental factors, should drive the decisions on how to deal with the media. The key is to first think in terms of information confidentiality, then apply considerations based on media type.
In organizations, information exists that is not associated with any categorized system. This information is often hard copy internal communications such as memoranda, white papers, and presentations. Sometimes this information may be considered sensitive. Examples may include internal disciplinary letters, financial or salary negotiations, or strategy meeting minutes.
Organizations should label these media with their internal operating confidentiality levels and associate a type of sanitization described in this publication.
Sanitization is a process to render access to target data (the data subject to the sanitization technique) on the media infeasible for a given level of recovery effort. The level of effort applied when attempting to retrieve data may range widely. For example, a party may attempt simple keyboard attacks without the use of specialized tools, skills, or knowledge of the media characteristics. On the other end of the spectrum, a party may have extensive capabilities and be able to apply state of the art laboratory techniques.
8
NIST SP 800-88 Rev. 1 Guidelines for Media Sanitization
Clear, Purge, and Destroy are actions that can be taken to sanitize media. The categories of sanitization are defined as follows:
 Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state
(where rewriting is not supported).
 Purge applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory techniques.
 Destroy renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data.
A more detailed summary of sanitization techniques is provided in Section 5. Sanitization requirements for specific media/device types are provided in Appendix A.
It is suggested that the user of this guide categorize the information, assess the nature of the medium on which it is recorded, assess the risk to confidentiality, and determine the future plans for the media. Then, the organization can choose the appropriate type(s) of sanitization. The selected type(s) should be assessed as to cost, environmental impact, etc., and a decision should be made that best mitigates the risk to confidentiality and best satisfies other constraints imposed on the process.