NIST SP 800-88 · Clear · Purge · Destroy · Verification

The Data Destruction Field Manual: What Actually Kills Data, Media by Media

Half the methods in circulation don't work on the media they're applied to — degaussed SSDs, overwritten flash, snapped DVDs, “wiped” copiers. This manual works through NIST SP 800-88 the way an operator does: media by media, with the valid purge methods, the destruction specs, the methods to never rely on, and the verification and records that turn the act into evidence.

Reading time: ~25 min Updated: June 12, 2026 Author: Brian Boynton Applies to: NIST SP 800-88 Rev. 1

TL;DR

Many common destruction methods do not work on the media they are applied to — degaussing does nothing to flash, overwriting misses SSD cells, and reformatting is not sanitization. NIST SP 800-88 defines what actually works, media by media.

  • Modern fleets are flash (SSD/NVMe): use cryptographic erase or physical destruction, never degaussing or simple overwrite.
  • "Deleted" and "reformatted" are not sanitization.
  • Every device needs method, then verification, then record — in that order, no exceptions.
  • Copiers, MFPs, and other hidden-drive devices are in scope.
Section 01

Deleted isn't destroyed

Every data-destruction failure traces back to one misunderstanding: that deletion removes data. It doesn't. Deletion removes the pointer to the data — the filesystem's map entry — and marks the territory as available. The data itself sits intact until something happens to overwrite it, which on a retired drive is never.

Off-the-shelf recovery tools read "deleted" files in minutes; a quick format typically just writes a fresh, empty map over the same territory. Emptying the recycle bin, reinstalling the operating system, deleting partitions — all variations on redrawing the map while leaving the land untouched. This is not an exotic forensic capability; it is a free download.

Real sanitization operates on the data, not the map: overwriting it, instructing the drive's own firmware to erase it, destroying the encryption key that makes it readable, or destroying the physical medium. Those four families, matched correctly to media types, are this entire manual. The rest is verification and paperwork — which, as Section 12 argues, is half the job.

Bottom line

If your disposal process includes the words "we deleted everything" or "we reformatted them," you don't have a disposal process. You have a map-redrawing ceremony.

Section 02

NIST SP 800-88: the standard everyone points to

NIST Special Publication 800-88 Revision 1, Guidelines for Media Sanitization, is the de facto U.S. reference for destroying data on every media type — cited by CMMC assessors, HHS guidance, state disposal laws, and virtually every security framework rather than each reinventing the wheel.

Its core contribution is a three-level taxonomy:

LevelDefinitionProtects againstTypical methods
ClearLogical techniques applied through standard interfacesSimple, non-invasive recovery (keyboard-and-software attacks)Overwriting with verification; factory resets on some devices
PurgePhysical or logical techniques that defeat laboratory recoveryState-of-the-art forensic attackFirmware Secure Erase / SANITIZE; cryptographic erase; degaussing (magnetic media)
DestroyRender media unusable and data infeasible to retrieveEverything; media cannot be reusedShredding, disintegration, incineration

Two framing points the standard insists on. First, sanitization decisions follow data sensitivity and media destination, not habit — the flowchart in Section 3 operationalizes this. Second, every sanitization is incomplete without verification and a record. A method without verification is a hope; a verified method without a record is an event no one can later prove happened.

One myth worth retiring here: the "DoD 5220.22-M three-pass wipe" that vendors still advertise. That document hasn't governed sanitization for many years; 800-88 superseded the multi-pass folklore, and for modern drives a single verified overwrite — or better, the firmware-based purge methods below — is the standard-aligned answer.

Section 03

Choosing the level: a two-question flowchart

For any device, two questions produce the answer.

Question 1 — Where is the asset going? If it stays under your control (internal redeployment), clear- or purge-level sanitization with a record is appropriate. If it leaves your control — resale, donation, lease return, RMA, trade-in — purge is the minimum, because you will never get another chance at it. If it's end-of-life, destruction is usually simplest, cheapest, and most defensible.

Question 2 — What would exposure cost? Regulated data (PHI, CUI, financial records), trade secrets, or anything whose breach triggers notification duties pushes the answer up one level. A drive of cafeteria menus and a drive of patient records can both technically take the same purge command; only one of them justifies betting on it. When the sensitivity analysis itself is uncertain, destroy — the price difference between purging and shredding a drive is trivial against the cost of being wrong.

Then one override: media type can veto the method. The chapters that follow exist because several methods that work perfectly on one medium do exactly nothing on another — and the most dangerous failures are the silent ones. The Method Picker encodes this whole section as a sixty-second tool.

Section 04

Magnetic hard drives

The medium 800-88's folklore was written for — and the one where most methods genuinely work, if verified.

Purge: the drive's own firmware commands — ATA Secure Erase or the SANITIZE command set — instruct the device to erase itself internally, reaching reallocated and spare sectors that host-side software can't see. Run with verification (a post-operation read sample or the tool's verification report). Cryptographic erase is valid where full-disk encryption was genuinely enforced from deployment and you can evidence it. Degaussing with an NSA/CSS-listed unit also purges — with the caveat that a degaussed drive is permanently dead, making it destruction-adjacent: never degauss a drive you intend to remarket.

Destroy: shredding and disintegration. Straightforward for magnetic platters at standard shred widths.

Never rely on: quick formats, partition deletion, OS reinstallation — Section 1's map-redrawing ceremonies. And single-sector "wipe" utilities that report success without verification.

Field note: failed drives that won't power on can't execute firmware purges — they go straight to the destroy column. Don't let a dead drive's unwipeability strand it in a drawer; its platters read fine in someone else's lab.

Section 05

SSDs, NVMe, and flash: where programs quietly fail

This is the most consequential chapter in the manual. Flash storage broke two beloved methods, and disposal SOPs written in the spinning-disk era prescribe them anyway.

Degaussing does nothing. Degaussers kill data by collapsing magnetic fields; flash stores charge in cells electrically. A degaussed SSD is a fully intact SSD. Any process — or vendor — running SSDs through a degausser and calling them sanitized is generating false confidence at industrial scale.

Overwrite software can't see the whole drive. SSD controllers practice wear leveling — distributing writes across cells and remapping constantly — and reserve overprovisioned capacity invisible to the operating system. Host-side overwrite tools scrub the addresses the controller chooses to show them, while copies of data persist in cells the software cannot reach. Overwrite-only sanitization on flash is structurally incomplete.

What works: the drive's own firmware — NVMe Format/Sanitize and ATA SANITIZE block-erase operations — executed and verified; these direct the controller to erase every cell it manages, including the ones the host never sees. Cryptographic erase works where hardware encryption was enforced and evidenced. Physical destruction works with one specification: particle size. Flash chips are small and dense; shred widths sized for hard-drive platters can pass intact chips through, and intact chips can be read off-board. Flash media demands flash-rated shred output.

Bottom line

If your fleet refreshed in the last five years, it's flash — and if your SOP predates the fleet, audit it this week. The two methods most likely to be written in it are the two that don't work.

Going deeper on flash: the mechanics of why overwrite and degaussing fail, cryptographic erase and self-encrypting drives, the native sanitize commands, and a media-to-method decision table are covered in the dedicated SSD, SED & NVMe Sanitization Field Guide.

Section 06

Backup tape

Tape's risk profile is inverted: the methods are easy, the inventory is the trap.

Purge/Destroy: degaussing with a unit rated for the tape's coercivity erases it thoroughly — and renders the cartridge unusable, so for tape, purge and destroy effectively converge. Shredding and incineration complete the destroy column. Overwriting is technically possible and practically unverifiable across an archive; don't build a program on it.

The real work is counting. Tape archives sprawl: off-site rotation sets, vault storage from retired backup regimes, migration leftovers, the box in the old server room. A sanitization program that processes the tapes you remember while the storage vendor holds four more boxes hasn't sanitized the archive — it's sampled it. Reconcile the vault inventory, the rotation schedule, and the physical count before declaring the medium handled.

Section 07

Copiers, printers, and MFPs

Virtually every networked copier and multifunction device of the last two decades contains a hard drive or flash module caching what crossed the glass — scans, prints, faxes — often for the unit's whole service life.

Purge: some manufacturers offer overwrite or security kits; they're valid where the kit produces verifiable results, which varies widely by vendor and generation. A menu option that says "data cleared" without verification output is a clear-level gesture at best.

Destroy: the dependable answer — pull the internal storage and shred it before the unit leaves your control. The chassis then recycles cleanly.

Never rely on: returning leased units as-is, or trusting a factory reset to purge the job cache. The lease return is this medium's signature failure mode: the unit disappears into a refurbishment chain with the cache aboard, and the breach surfaces at the next customer. The contractual fix — drive retention, certified sanitization at return, or third-party destruction rights written into the lease — costs one clause at signing; the Vault's lease clause pack has the language.

Section 08

Mobile devices

Phones and tablets are the one consumer category where the built-in method is genuinely strong — with two administrative traps in front of it.

Purge: modern iOS and Android devices encrypt storage by default with hardware-held keys, which makes a verified factory reset function as cryptographic erase: the reset destroys the keys, and the flash beneath holds only ciphertext. Conditions: confirm encryption was actually active (default on anything recent), and verify the reset completed to setup screen.

The traps are locks, not data. A device reset while still bound to activation lock (Find My / FRP) or MDM enrollment is sanitized and worthless — it can't be redeployed or remarketed, which quietly converts your recoverable fleet into scrap. Release MDM enrollment and activation locks before the reset, as a checklist step, not an afterthought.

Destroy: device or logic-board shredding for units whose condition or sensitivity warrants it. Never rely on: SIM removal as a "wipe," or resets on devices old enough that encryption wasn't enforced.

Section 09

Network equipment

Switches, routers, firewalls, and access points hold little user data — and a complete blueprint of your network. The risk isn't files; it's the map.

Configurations carry addressing schemes, VLAN topology, routing policy, VPN endpoints, SNMP strings, and — too often — embedded credentials and pre-shared keys. Gear resold or returned with configs intact hands a stranger your network diagram with annotations.

Purge: full configuration wipe and factory reset per vendor procedure, including startup and backup config stores; sanitize any internal flash or storage modules the platform documents. Don't forget the adjacent population: load balancers, WAN optimizers, VoIP appliances, and security appliances with logging storage that's effectively a data archive.

Destroy: remove and destroy internal storage where it exists; the chassis follows the recycling path. Never rely on: "it's just a switch" — the sentence that precedes most config-bearing resale incidents.

Section 10

USB flash, memory cards, and optical media

The small stuff — where the economics of verification flip the answer to destruction by default.

USB drives and memory cards are flash with all of Section 5's problems and almost none of its remedies: consumer controllers rarely implement trustworthy sanitize commands, and the per-unit value can't justify per-unit verification effort. The default disposition is shredding. The prior question is inventory: removable media is the least-tracked storage in any organization, and under frameworks like CMMC its control is a scored requirement before disposal even enters the picture.

Optical media (CD/DVD/Blu-ray) has no purge method at all once written. Destruction via an optical-rated shredder is the entire decision tree. Scratching, snapping by hand, and marker defacement are recoverable with patience — written optical media exits as confetti, full stop.

Section 11

Verification: the half everyone skips

800-88 treats verification as part of sanitization, not an optional follow-up — because an unverified method is indistinguishable from a failed one.

What verification looks like per family: for overwrites and firmware purges, a post-operation read sample or the tool's verification report confirming completion status (firmware commands return success/failure — capture it); for cryptographic erase, evidence the encryption was enforced pre-erase plus confirmation of key destruction; for degaussing, correct coercivity rating for the media plus periodic degausser field-strength testing; for physical destruction, confirmation of particle output and — operationally crucial — serial capture before the device enters the shredder, since afterward there's nothing left to identify.

At fleet scale, add process-level verification: sampled checks of completed batches, and the quarterly reconciliation habit — pull ten retired serials, trace each to its sanitization record. Programs that can pass that test on demand are audit-ready by construction; programs that can't usually discover it from an auditor.

Section 12

The record: turning an event into evidence

Months or years from now, someone — auditor, assessor, regulator, opposing counsel — will ask about a specific device. The sanitization happened or it didn't; what you'll actually be judged on is whether you can prove it.

The per-device record that survives that conversation captures: media identity (type, make/model, serial); method, named in 800-88 terms; tool or equipment used; verification performed and its result; operator; date; and for vendor-performed destruction, the chain of custody connecting your dock to the destruction event. Aggregate records — "one lot of drives, destroyed" — fail the only question that matters, because they can't speak to this device.

Institutionalize it in a written SOP: scope, roles, the method matrix from these chapters, procedure steps, verification requirements, record format, and the quarterly reconciliation test. The Vault's sanitization SOP template is that document with the blanks marked; the Readiness Scorer will tell you in two minutes which pieces your current program is missing.

Bottom line

Method, verification, record — in that order, every device, no exceptions small enough to skip. The method protects the data; the record protects you.

Section 13

Frequently asked questions

Is a multi-pass overwrite better than a single pass?

On modern drives, no — the multi-pass ritual descends from guidance written for long-obsolete media. NIST 800-88 recognizes a single verified overwrite at clear level, and firmware-based purge commands surpass host-side overwriting entirely. On flash, pass count is irrelevant because overwriting is the wrong tool regardless (see Section 5).

Can data really be recovered from a shredded drive?

From magnetic platters shredded at standard widths, recovery is not a realistic threat. The live concern is flash: chips that pass through an HDD-width shredder intact can be read off-board. The fix is specification, not anxiety — flash-rated particle size for flash media, and serial capture before destruction so the evidence survives even though the device doesn't.

Is BitLocker (or FileVault) alone enough to skip sanitization?

Encryption enables cryptographic erase — it doesn't replace it. You still need the erase event (key destruction), evidence the encryption was enforced for the device's whole data-bearing life, and a record. "It was encrypted, probably" is not a sanitization method; it's the precondition for one.

What do we do with drives that won't power on?

Destroy them. Dead drives can't execute firmware purges, but their platters and chips read fine in a recovery lab. A failed drive is a data-bearing asset with fewer options, not a sanitized one — straight to the shred queue, serial captured first.

Does formatting an SD card or USB stick before tossing it matter at all?

It removes the casual finder's easy access and nothing else — the data remains recoverable with free tools. For anything that ever held organizational data, removable flash gets shredded. The per-unit cost of destruction is lower than the per-unit cost of being wrong by orders of magnitude.

Who should perform sanitization — IT or a vendor?

Internal teams handle purge-for-redeployment well (firmware erases, mobile resets) when the SOP and records discipline exist. End-of-life destruction at volume favors certified vendors: rated equipment for every media type, serialized certificates as standard, and third-party evidence that carries more audit weight than self-attestation. Most mature programs run both lanes under one SOP.

Section 14

Where CyberCrunch fits

Every method in this manual is standard-driven — NIST SP 800-88's taxonomy, applied per media type with verification and records. The standard doesn't care who executes it; the evidence does. CyberCrunch built its operation around the chapters above.

CyberCrunch · Certified Data Destruction · All Media Types

Every method above, performed and proven.

CyberCrunch performs NIST 800-88-aligned sanitization and destruction across the full media map — hard drives, SSDs and flash at flash-rated particle sizes, tape, copier and MFP storage, mobile fleets, and network equipment — with verification on every operation, serialized certificates of destruction reconciled to your manifest, documented chain of custody, and witnessed destruction options. NAID AAA and R2v3 certified, headquartered in Greensburg, PA, serving all 50 states.

NAID AAAR2v3RIOSPA DEPALL 50 STATES

This manual summarizes NIST SP 800-88’s Clear/Purge/Destroy framework with per-media technique guidance, as of June 2026. NIST finalized Rev. 2 in September 2025, which keeps that framework but now defers technique selection to IEEE 2883-2022 — for current flash-specific detail see the SSD, SED & NVMe Sanitization Field Guide. It is not legal advice and does not substitute for the standard itself or for your organization's regulatory requirements. Validate methods against your specific media, tools, and compliance obligations.