Guidelines for Media Sanitization: NIST Publishes SP 800-88r2

NIST has released Special Publication (SP) 800-88r2 (Revision 2), Guidelines for Media Sanitization.

Media sanitization is a process that renders access to the target data on media infeasible for a given level of effort. This guide will assist organizations and system owners in setting up a media sanitization program with proper and applicable methods and controls for sanitization and disposal based on the sensitivity of their information.

Important revisions in this version compared to SP 800-88r1 (2014) are as follows:

• The document’s focus has shifted from providing guidelines for hands-on sanitization decisions to maintaining the confidentiality of sensitive information by establishing an agency or enterprise media sanitization program as part of media disposal or reuse,
• Program-focused guidelines now improve the alignment of media sanitization with cybersecurity standards (e.g., SP 800-53, ISO/IEC 27040), update certain sanitization methods to be in tune with the state of practice, and address trust establishment in the vendor’s implementation of sanitization techniques for clear and purge sanitization methods.
• Apart from cryptographic erase (CE), which is commonly used across all encrypted media, all sanitization techniques and tool details have been replaced with recommendations to comply with IEEE 2883, NSA specifications, or an organizationally approved standard.
• A focused set of guidelines have been added to the CE technique to expand the types of cryptographic keys that may be used for CE, consolidate content from different parts of text to a dedicated section, provide guidelines for key sanitization using the state of practice ISO/IEC 19790 zeroization, and clarify when the use of externally managed keys is potentially acceptable.