What's inside
A field reference for NIST SP 800-88 Revision 2, published 26 September 2025. The first major update in almost eleven years. Designed for CISOs, vCISOs, compliance leads, IT operations leads, and ITAD vendors who need to make sanitisation decisions defensibly and consistently. Built to be pinned next to a sanitisation workstation, kept in a project pack, or held next to an audit reviewer.
24 pages of operational content with the decision logic compressed for fast reference, not waded through:
- Section 2: What changed in Rev. 2 and what did not. Comparison table covering the structural shift toward IEEE 2883-2022 as the technique reference, the new author team, expanded SSD and NVMe coverage, explicit programme-governance framing, and the unchanged Clear/Purge/Destroy vocabulary
- Section 3: The Clear, Purge, Destroy decision on one page. Method definitions side by side with the decision matrix that maps data confidentiality, intended future media use, and risk tolerance to the appropriate sanitisation method
- Section 4: Per-media-type quick reference covering HDDs, SATA SSDs, NVMe drives, M.2 form factor, embedded flash (eMMC, UFS), USB removable media, magnetic tape, optical media, networking equipment, multifunction devices, RAM, AI accelerator HBM3, and hybrid drives. Cryptographic Erase availability flagged per media class
- Section 5: The IEEE 2883-2022 bridge explaining the most architectural change in Rev. 2 and the practical impact on policy, vendor contracts, certificates, and training
- Section 6: Cryptographic Erase operational guide. When CE is appropriate. When CE is not appropriate. The 'enabled before first write' rule that determines whether key destruction actually protects the data
- Section 7: Verification at device level, sample level, and programme level. What evidence an auditor expects to see
- Section 8: FISMA, FISCAM, CMMC 2.0, DFARS, NIST SP 800-171, FedRAMP and StateRAMP linkage matrix
- Section 9: Seven common misuses of NIST 800-88 including factory reset marketed as Clear, single-pass overwrite assumed to satisfy Purge, Cryptographic Erase used on media not encrypted from first write, Destroy claimed without verification, one-size-fits-all method application, Rev. 1 references retained after Rev. 2 publication, and HBM3 treated like standard SSD
- Appendix A: Single-page printable decision card with the five-step decision flow and color-coded decision matrix. Print, laminate, pin
- Appendix B: Crosswalk mapping NIST 800-88 Rev. 2 methods to ISO/IEC 21964 sanitisation categories and HMG IS5 lower-and-enhanced levels, plus the DIN 66399 per-media destruction class reference
Why this template
NIST SP 800-88 Rev. 2 was published on 26 September 2025. It superseded Rev. 1, which had stood for almost eleven years as the international reference standard. Most ITAD templates published online still cite Rev. 1 verbatim, sometimes without realising Rev. 2 exists. For US federal agencies, federal contractors under CMMC 2.0, and any organisation processing US federal data, Rev. 2 is now mandatory.
The biggest architectural change in Rev. 2 is the removal of all specific sanitisation technique instructions and the explicit reference to IEEE 2883-2022 for technique selection. Rev. 2 is governance and decision logic. IEEE 2883 is the technique reference. This separation is intentional and important. Most templates online have not yet adapted to this two-document model.
The Clear, Purge, and Destroy vocabulary remains. Documentation chains, vendor certificates, and policy references written under Rev. 1 do not need to be rewritten substantively. The reference layer is what shifted. This template is designed to make the transition obvious and the operational decisions defensible.
The color-coded decision matrix in Section 3 and the per-media-type matrix in Section 4 are the operational core. The single-page printable decision card in Appendix A is the format the template was designed around. Pin it to a wall and the sanitisation decision is no longer a research project.
The crosswalk to ISO/IEC 21964 and HMG IS5 in Appendix B makes this template useful for non-US audiences too. Organisations operating across multiple standards regimes can use this reference as the equivalence bridge.
Who it's for
CISOs, vCISOs, compliance leads, IT operations leads, internal auditors, ITAD vendors, federal compliance teams, defence industrial base contractors under CMMC 2.0, and any organisation needing a fast operational reference for media sanitisation decisions across HDDs, SSDs, NVMe, AI accelerators, mobile devices, and removable media.
Pairs with
All thirteen prior NanoSoft templates. NIST 800-88 Rev. 2 is the technical foundation underneath the operational templates: ITAD Policy (NS-TPL-001), Certificate of Data Destruction (NS-TPL-002), Pre-Disposition Audit (NS-TPL-007), UK GDPR (NS-TPL-008), NHS Quickstart with HMG IS5 alignment (NS-TPL-010), EU GDPR Erasure Guide (NS-TPL-012), and EMEA Decommissioning Plan (NS-TPL-013) which references this template for per-device sanitisation decisions on AI accelerator hardware.
Format: Microsoft Word (.docx) | 24 pages | Last updated: May 2026