NIST published SP 800-88 Revision 2 in September 2025, replacing Revision 1. The update moves the emphasis from a list of hands-on techniques toward an organization-wide media sanitization program. That distinction matters during data center decommissioning: removing hardware and protecting the information on that hardware are connected, but they are not the same task.
Start with policy, not the loading dock
Before a device is disconnected, the organization should know what it is, who owns it, whether it contains data and what its approved destination will be. Inventory quality drives every later decision.
Classify assets into operationally useful groups:
- Reuse or redeployment
- Lease return or vendor return
- Resale or donation
- Recycling
- Destruction
- Hold for investigation, legal or business reasons
Data sensitivity and the intended destination help determine the required sanitization outcome. A device approved for internal reuse may follow a different path from media leaving organizational control.
What Revision 2 changes
NIST SP 800-88 Rev. 2 focuses on establishing and maintaining a media sanitization program aligned with cybersecurity and storage-security practices. It updates guidance around cryptographic erase and points organizations toward relevant standards and approved methods rather than presenting one universal tool list.
For a decommissioning project, that means the statement “drives will be wiped” is not enough. The customer’s program should define:
- Authority and responsibility
- Approved sanitization standards and tools
- Validation requirements
- Evidence and record retention
- Handling of failed or inaccessible media
- Requirements for downstream vendors
The field team executes within that program; it should not invent policy during removal.
Separate physical work from data decisions
The physical scope can include tracing, shutdown verification, disconnection, unracking, serial capture, packing and staging. Media decisions require explicit authorization. Color-coded labels, locked containers and controlled staging can prevent assets from entering the wrong disposition stream.
Chain-of-custody records should identify who transferred what, when, where and for which destination. The required level of detail depends on the organization and risk, but it should be decided before trucks arrive.
Validate the empty space
Closeout is more than an asset list. Check racks, overhead pathways, underfloor areas, storage rooms and receiving spaces for overlooked equipment or media. Confirm what cabling, cabinets and facility components are meant to remain.
Reconcile planned quantities with removed quantities and exceptions. Preserve certificates or validation records from the party responsible for sanitization, destruction or recycling.
A better decommissioning question
Do not ask only, “How quickly can the room be cleared?” Ask whether each asset has an owner, approved state, data-handling path and evidence requirement. Speed follows a clear decision structure.
Data Infra provides data center decommissioning, equipment removal and documented handoff support under the customer’s approved media and disposition policy.