Data sanitisation has moved well beyond basic “drive wiping.” With the publication of NIST SP 800-88 Revision 2, Guidelines for Media Sanitization, the focus has shifted firmly toward structured, risk-based decision making aligned to modern storage technologies.
Revision 2 recognises a reality many organisations are already facing: storage environments are more complex, more distributed, and more diverse than they were a decade ago. SSDs, self-encrypting drives, hybrid media, and cloud-based storage all introduce new considerations. A single, generic approach to erasure is no longer sufficient.
Understanding the three sanitisation methods
NIST continues to define three sanitisation methods: Clear, Purge, and Destroy. The distinction between them is not technical preference, but risk tolerance aligned to confidentiality impact.
Clear applies logical techniques to protect against simple, non-invasive recovery. It may be appropriate where media remains under organisational control and the data sensitivity is low. However, Revision 2 makes clear that legacy multi-pass overwrite approaches do not automatically provide higher assurance on modern SSD-based storage.
Purge is designed to protect against advanced laboratory techniques while preserving media for reuse. This includes device-specific sanitize commands and Cryptographic Erase. For many reuse scenarios, particularly where media is leaving organisational control, Purge represents the correct balance between security and sustainability.
Destroy renders data recovery infeasible and makes the media unusable. It remains appropriate for high confidentiality environments or where reuse is not required
Cryptographic Erase under closer scrutiny
One of the most significant areas of focus in Revision 2 is Cryptographic Erase. While it can provide rapid and high-assurance sanitisation, NIST is clear that it is only valid where data has been encrypted from the outset and where keys are properly managed and zeroised.
Key escrow, backups, weak entropy, or poor implementation can undermine its effectiveness. In other words, Cryptographic Erase is not a shortcut. It is a governed process that must be understood and documented.
Sanitisation as a programme, not a command
A strong theme throughout Revision 2 is that sanitisation is part of a wider media sanitisation programme. Decisions must consider confidentiality impact, whether media is being reused, and whether it is leaving organisational control. Documentation, validation, and clearly defined responsibilities are expected.
This is particularly important for ITAD providers, refurbishers, lease returns, warranty swaps, and cross-border asset movement. In many contexts, loss of control without appropriate sanitisation may constitute a data breach.
Technology-aware decision making
Revision 2 explicitly acknowledges that overwriting does not reliably address overprovisioned areas in SSDs, that hybrid media complicates legacy purge techniques, and that virtual storage may only support Cryptographic Erase. Sanitisation must therefore be matched to the underlying storage technology, not assumed to be universal.
How Genesis supports NIST-aligned workflows
NIST Revision 2 reinforces the need for policy-driven, repeatable sanitisation aligned to confidentiality risk. Genesis is designed to operationalise that structure.
Genesis enables organisations to apply consistent workflows aligned to Clear or Purge-level techniques, execute device-aware erase commands suited to the media, and log and verify each action. Detailed reporting and certificate-style outputs provide the audit trail required for compliance and customer scrutiny.
By reducing reliance on individual engineer judgement and embedding structured process into day-to-day operations, Genesis helps organisations align with NIST expectations while preserving the economic and sustainability benefits of secure reuse.
In short, Revision 2 makes it clear that sanitisation must be defensible, documented, and technology-aware. Genesis provides the framework to make that practical at scale.