NIST 800-88: Meeting the Standard


Unfortunately, like a recurring nightmare, it’s happened one too many times: sensitive data remains on devices thought to be discarded or repurposed.  To tackle this issue, the National Institute of Standards and Technology (or NIST) developed guidelines in 2006, revised in 2012, to maintain data confidentiality and guarantee the secure and irreversible removal of data from storage devices.  In today’s blog, then, we’ll take a look at the NIST 800-88 guidelines and highlight the importance of data destruction.  Additionally, we’ll explore the three primary data destruction methods outlined by the NIST guidelines and share best practices for their implementation.


Understanding the NIST 800-88 Standard


The NIST 800-88 standards were established in 2006 and revised in 2012 to provide a comprehensive approach to data destruction techniques.  They are specifically tailored for various storage devices and a key and vital component when handling sensitive information.  It’s not difficult to see why, in a world rapidly evolving technologically, that a standard should come about to clearly and effectively demonstrate data security procedures.   


What is Data Destruction?




Data destruction involves permanently removing data from devices which store it, ensuring that confidential information cannot be accessed without authorization.  The primary purpose is to prevent data breaches or leaks (a la Morgan Stanley) when retiring, recycling or disposing of any and all electronic media or devices.


Addressing Data Destruction Challenges


By embracing data destruction practices, organizations can protect their sensitive information and mitigate the risk of data breaches, complying with NIST 800-88 guidelines.  If media sanitization isn’t available, alternative data protection measures can and should be explored. 


Adhering to NIST 800-88 standards empowers organizations to select data destruction methods suited to their storage media and data confidentiality needs, reducing the risk of unauthorized access and upholding compliance with data protection regulations.


Things to Consider


Several factors are worth considering when implementing media sanitization techniques, and understanding them will assist you in choosing the most suitable data destruction method to ensure complete data sanitization.  Let’s take a look!


Types of Media Storage


Different storage media require specific sanitization techniques for effective data destruction.  For instance, degaussing is very effective for sanitizing magnetic storage devices like magnetic tapes and hard disk drives but isn’t suitable for flash-based devices like SSDs.  The NIST 800-88 guidelines recommend that agencies use approved software for such cases and specifically advocate for following the practice of overwriting.    


Security Levels



Based on security levels and requirements, organizations can choose the most effective sanitization method to erase data and comply with NIST guidelines.


The Clear method, for instance, may be suitable enough for storage devices bearing low-level sensitive information, while the Purge method, involving encryption techniques, overwriting and block erasure, is recommended for highly confidential data.


To Clear, Purge or Destroy?



NIST 800-88 standards outline three primary data destruction techniques, and they sound like battle commands: Clear, Purge and Destroy.  Each of these methods offer varying degrees of data destruction and applicability to different storage media types.


NIST Clear Method



Effective for various storage devices, such as HDDS, SSDs, USB flash drives, and other types of non-volatile memory storage devices, the Clear method overwrites data with nonsensitive information.  As a result, this method is a favorite for ensuring data protection as well as providing reuse, which promotes a circular economy.  Obstructing basic, nonintrusive data recovery techniques and tools used for scavenging data, the Clear method helps ensure that target data recovery remains a challenging obstacle.  


That being said, however, it does not address data located in concealed or unreachable sectors, and so is not ideal to use for media-bearing devices with highly sensitive information.  In these instances, organizations may need to explore alternate sanitization methods like Purge or Destroy to guarantee the absolute and irreversible destruction of sensitive data.


NIST Purge Method


Not only lending its name to the horror movie, but The Purge method also stands as a highly effective safeguard for confidential data, employing techniques like overwriting, block erasing and encryption to make data recovery virtually impossible.  It’s especially effective for storage devices housing sensitive information and utilizes both physical and logical measures to thwart advanced laboratory-based data recovery techniques.


NIST 800-88 standards prescribe particular techniques for the Purge method, including degaussing, overwriting, block erasure and cryptographic deletion.  These methods collectively contribute to the comprehensive and rigorous process of rendering data irretrievable and thus align with the high-security requirements of sensitive data storage.


NIST Destroy Method



The Destroy method involves physically destroying the storage media, ensuring maximum data protection for highly sensitive information or unrecoverable devices.  By rendering the storage media entirely unusable, this method serves as an effective solution to eliminating any unauthorized access to sensitive data.  


With a rather important caveat, however: environmental harm and financial expenses linked to destroying storage devices.  Therefore, organizations strongly encourage carefully assessing the pros and cons of this approach and considering the alternative sanitization techniques (NIST Clear or NIST Purge) to better align with global and local needs regarding conservationism and the environment.    


eAsset Solutions and Compliance



Understanding the requirements of our clients is essential to what we do, and we tailor our services accordingly.  We not only adhere to the NIST 800-88 standard, but our data destruction processes are additionally in accordance with:


R2v3 (Responsible Recycling)


RIOS (Recycling Industry Operating Standard)


NIST 800-88 Guidelines


HIPAA (Health Insurance Portability and Accountability Act)


SOX (Sarbanes-Oxley Act)


GLB (Gramm-Leach-Bliley Act)


FACTA (Fair and Accurate Credit Transactions Act)


COPPA (Children’s Online Privacy Protection Act)


FISMA (Federal Information Security Management Act)


When you recycle with us, whether it’s a personal laptop or retiring IT assets, we will effectively and efficiently meet your data destruction requirements.


Final Thoughts




Because we believe in providing the utmost in responsible recycling and promoting a circular economy, as a company we continue to do our due diligence to not only meet the standard but to exceed it at every level.  In addition to offering hard drive shredding and degausing, we utilize specialized and agency-approved third-party software (such as Blancco, ZipErase, and Extreme Protocol Systems) which strictly adhere to the NIST 800-88 standard and guidelines.


Prioritizing data security has become more critical for organizations than ever before.  Investing in strong media sanitization processes is imperative.  By adopting a proactive approach and deploying solutions in accordance with NIST 800-88 standards, organizations can confidently ensure the complete and irretrievable removal of sensitive data from their storage devices, thus safeguarding their invaluable assets against unauthorized access.


Call today and see how eAsset Solutions can help deliver on your data destruction needs.