Skip to content
Get a Quote
Resource · Checklist

NIST 800-88 Data Destruction Checklist

The end-to-end checklist auditors actually expect. Use it to run a destruction project in-house, or to qualify a vendor before you sign with them.

Updated for 2026 · Aligned to NIST SP 800-88 Rev. 1

What NIST 800-88 actually is — in one paragraph

NIST Special Publication 800-88 Rev. 1, Guidelines for Media Sanitization, is the U.S. federal standard for making data on storage media unrecoverable. It is the de facto baseline cited in HIPAA guidance, PCI-DSS, GLBA examinations, and most enterprise procurement contracts. It splits sanitization into three categories — Clear, Purge, and Destroy — and tells you which one to use based on (a) the confidentiality of the data and (b) the type of media.

The decision matrix

Clear

Low confidentiality

Logical techniques like overwrite, factory reset, or built-in secure erase. Reliable on HDDs. Unreliable on SSDs. Use Clear for media leaving the environment but staying inside the organization.

Purge

Moderate confidentiality

Cryptographic erase (delete the encryption key), block erase (ATA/NVMe Sanitize command), or degaussing for magnetic media. Resists laboratory recovery. Required when devices change ownership.

Destroy

High confidentiality

Shred to a defined particle size, disintegrate, incinerate, or melt. The device is no longer usable. Required for highly regulated data or whenever Purge is not technically feasible.

The 7-step checklist

  1. Inventory every device.

    Device type · manufacturer · model · serial number · capacity · encryption status · current physical location. Anything not on the list never gets sanitized — and almost every breach starts with "we didn't know that drive was there."

  2. Classify the data.

    Map each device to a confidentiality level: Low, Moderate, or High. Use your existing data classification policy if you have one; otherwise default to Moderate and step up for regulated workloads (PHI, PCI, ITAR, etc.).

  3. Select the method.

    Apply the Clear / Purge / Destroy matrix above. Always verify the method is actually supported by the device — many SSDs falsely report secure-erase success.

  4. Execute the sanitization.

    Use vendor-supported tools (manufacturer secure-erase utilities, ATA/NVMe Sanitize, hardware shredders). Capture tool logs and operator identity. Maintain chain of custody from removal to sanitization to disposal.

  5. Verify a sample.

    At minimum 10% of devices, plus 100% of devices holding High-confidentiality data. For logical methods, attempt recovery with a forensic tool. For physical destruction, verify shred particle size with calipers and photograph the output.

  6. Issue Certificates of Destruction.

    One certificate per device or per batch. Include: device serial number(s), sanitization method, NIST 800-88 category, operator name, witness name, date, location, and reference to the verification record. Sign and counter-sign.

  7. Update the asset register and retain records.

    Mark assets as sanitized and disposed in the CMDB / asset tracking system. Retain certificates and logs for the longest of: your retention policy, your regulator's requirement, or seven years.

Five mistakes we still see in 2026

  • Treating SSDs like HDDs. A DBAN-style overwrite does not reliably sanitize an SSD. Use cryptographic erase or destroy.
  • Trusting the device's "secure erase" report. Many consumer SSDs return success without actually sanitizing the over-provisioning area. Verify, or destroy.
  • No serial-number-level certificate. A certificate that says "destroyed 47 drives" without serials is unusable in an audit. Every drive, every serial.
  • Skipping the inventory step. If you don't have a list, you can't prove anything was sanitized — only that something was.
  • Mixing destruction and resale streams. Once a device is on the "destroy" path, it cannot legally or ethically reappear on the resale market. Keep the streams physically separate.

FAQ

What is NIST SP 800-88?

NIST SP 800-88 Rev. 1 is the U.S. federal media sanitization standard. It defines Clear, Purge, and Destroy categories and is referenced by HIPAA, PCI-DSS, GLBA, and most enterprise contracts.

Is overwriting enough for SSDs?

Generally no — wear leveling and over-provisioning leave data behind. Use cryptographic erase, vendor block-erase, or physical destruction.

Do I need a Certificate of Destruction?

If you're subject to any data-handling regulation or contract, yes. It's the document you'll produce in an audit.

Can I do this in-house?

Yes — 800-88 doesn't require a third party. Most organizations outsource because of training, documentation, and equipment costs.

Free download

Get the printable PDF

Same content, formatted as a one-click checklist you can hand to a vendor, a board member, or your insurance carrier. No spam — we use your email only to send the PDF and (optionally) a one-time follow-up.

  • Print-friendly, branded layout
  • Auditor-ready format
  • Updated for 2026 standards

Want us to run the destruction project for you?

We perform NIST 800-88 aligned destruction on-site or at our facility, with serial-number-level Certificates of Destruction for every device.

Get a destruction quote