News & Blog

NIST SP 800-88 Summarized

NIST SP 800-88 Summarized

NIST SP 800-88 Rev. 1, Guidelines for Media Sanitization, can be summarized as follows: 1) the purpose and scope of the document, 2) the new trends in storage media, sanitization technology, and associated issues, 3) three types of media sanitization, and 4) information sanitization and disposal decision making. This blog omits roles and responsibilities relating to media sanitization in an organization, which is contained in Chapter 3 of the document. In order to give you a general understanding of this document, this blog post is a brief summary. It is recommended to read the full guidelines if you want to understand it thoroughly.

What is NIST SP 800-88?

NIST (National Institute of Standards and Technologies) released its Special Publication 800-88 Rev. 1, Guidelines for Media Sanitization, which was revised from its original edition of 2006. The guideline has been a new standard for media sanitization in organizations ranging from public to private, from the US to other countries. It is also known as ‘NIST SP 800-88,’ or ‘NIST 800-88.’

The objectives of the document: Guidelines, not a standard

Whereas ‘DoD wipe standard’ is a standard method for wiping hard disk drives, NIST 800-88 is simply guidelines for organizations. The guidelines cover media from papers to servers and sanitization methods from overwrite to shredding. The article states that the objective is “to assist with decision making when media require disposal, reuse, or will be leaving the effective control of an organization. Organizations should develop and use local policies and procedures in conjunction with this guide to make effective, risk-based decisions on the ultimate sanitization and/or disposition of media and information.”

New Trends of Media Sanitization

You can shred paper to sanitize it. However, the sanitization of electronic storage media is more complex. In particular, new technological methods are needed for sanitizing emerging storage media.

1) The emergence of flash memory-based storage media: With the advent of flash memory-based storage media with higher capacity than conventional magnetic storage, overwrite is not sufficient for sanitizing them. Thus, the old DoD Standard is no longer valid for all media. This is one of the main reasons why the media sanitization method is becoming more complex as well.

2) Dedicated Sanitize Commands: Flash memory-based storage media are recommended to be sanitized by using dedicated sanitize commands. You should use the correct commands for your particular media (consult your vendor to find the right commands). 

3) The threat to degaussing: New magnetic storage also may have higher coercivity due to technological advances. Existing degaussers may not be suitable for them. Check with your degausser and storage media vendor to see if your current process is adequate.

4) The threat to physical destruction: The higher the density of flash memory, the smaller the size of the shredded particles needed for the physical destruction of it. Additionally, the increased hardness of the media may cause inadvertent damage to the grinder.

5) Cryptographic Erase(CE): New media often supports CE. CE is a very efficient way to prevent data recovery. It only sanitizes the encryption key, leaving the data encrypted in the storage. However, the disadvantage is that it is difficult to verify the sanitization, so it must be applied carefully.

Three categories of Media Sanitization

This document defines three categories of media sanitization:

1) Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).

2) Purge applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory techniques

3) Destroy renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of data.

Appendix A, Minimum Sanitization Recommendations for each media type, states that ‘clear’ can be accomplished by software wiping, ‘purge’ can be done by software wiping and degaussing, and ‘destroy’ can be physical destruction, for most magnetic media and flash memory-based storage devices.

Information Sanitization and Disposal Decision Making

The document offers suggestions for how to choose one of the above technique categories for sanitizing and disposing of media. (See the below flow chart.)

Figure: Sanitization and Disposition Decision Flow(Source: NIST SP 800-88, p.17)

1) Information Decisions in the System Life Cycle: You should consider how to sanitize data at the start of system development. The sanitization method depends on the type of storage device. The document recommends organizations to request a ‘statement of volatility’ of the device from the product vendor.

2) Determination of Security Categorization: Early in the system life cycle, you should determine the level of confidentiality of the information according to FIPS 199, NIST SP 800-60 Rev.1, or CNSSI 1253. This security categorization should be regularly updated and applied throughout the system’s life every three years or any time a significant change occurs in the system.

3) Determination of Reuse of Media: The sanitization method may vary depending on whether the media is reused or recycled.

4) Determination of control of media: The method of sanitization depends on whether the media is still within the organization’s control or whether it has been donated, resold, or disposed of externally.

5) Data protection level: For example, even within an organization, if two departments have different access rights to the information, you might need to sanitize the device that stored the information when it moves from one department to another.

6) Verification: You must verify that the sanitization has been completed properly. You can use both the full verification and the verification of the representative sample. The verification method should be selected carefully according to the technique used for the sanitization method and types of media. Appendix A offers verification methods for some media.

7) Documentation: Detailed information about the sanitized media, the sanitization method, verification method, and worker information should be documented and stored.

The appendices

The appendices of this document are full of practical information as follows: 1) The minimum sanitization recommendations for each media, 2) tools and resources relating to media sanitization, 3) cryptographic erase device guidelines, 4) device-specific characteristics of interest, and 5) a sample “certificate of sanitization” form.

Conclusion

In conclusion, the document is intended to help organizations make decisions to establish policies and procedures on how to sanitize the media. It also provides detailed minimum requirements and checklists on how to achieve three different types of sanitization, such as clear, purge, and destroy, depending on the nature of the media. Therefore, according to the guidelines presented in the document, organizations should create media sanitization policies and procedures to abide by the specific data protection regulations that organizations should follow. However, it is challenging for general users to obtain all the characteristics of all storage media from vendors and to have the verification method as the guidelines suggest.

Sanitization software can automatically adopt suitable wiping methods for specific media as well as provide automatic verification methods. Secudrive Drive Eraser provides suitable sanitization and verification methods for a variety of media. It provides ATA commands for SSDs as well as overwrite for magnetic disks. The hexadecimal view verifies the data before and after wiping. Furthermore, after the deletion, logs such as computers, storage media, and wiping information are automatically generated. The logs can then be output as tamper-resistant reports and stored in various file formats for easy integration with the organization’s IT asset management system. For more, see our blog post on how to use Secudrive Drive Eraser for HIPAA compliance.

Share on facebook
Share on linkedin
Share on twitter