Digital Media Destruction Guidelines

NIST defines media as “Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts onto which information is recorded, stored, or printed within a system.”

This applies to digital media specifically, which includes hard drives, SSDs, portable storage devices, and other such devices that store data. Two controls in particular in NIST 800-171 discuss sanitization and destruction of media as necessary. To comply with these controls, one must ensure that media is sanitized or destroyed based on the guidelines provided in NIST 800-88.

NIST has published an updated version of Special Publication (SP) 800-88, Guidelines for Media Sanitization. SP 800-88 Revision 1 provides guidance to assist organizations and system owners in making practical sanitization decisions based on the categorization of confidentiality of their information. Media sanitization refers to a process that renders access to target data on the media infeasible for a given level of effort. Information disposition and sanitization decisions occur throughout the information system life cycle.

Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple noninvasive data recovery techniques; it is typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).

Purge applies physical or logical techniques that render target data recovery infeasible using state-of-the art laboratory techniques.

Destroy renders target data recovery (using state-of-the-art laboratory techniques) infeasible and results in the subsequent inability to use the media for storage of data.