What is the Clear, Purge, and Destroy framework under NIST SP 800-88 Rev. 2?

NIST SP 800-88 Rev. 2 defines three escalating sanitization levels: Clear applies overwrite techniques to storage media containing non-sensitive or low-impact data, protecting against basic recovery attempts. Purge applies techniques rendering data recovery infeasible by known laboratory methods and is required for most federal systems classified at Moderate or High impact. Destroy physically eliminates the media through shredding, disintegration, or incineration, making data recovery impossible. Rev. 2 retained these three categories from Rev. 1 but removed all specific technique tables, requiring organizations to reference IEEE 2883-2022 for method selection guidance.

What is IEEE 2883-2022 and why does NIST SP 800-88 Rev. 2 reference it?

IEEE 2883-2022 is the storage device sanitization standard published by the Institute of Electrical and Electronics Engineers in 2022. NIST SP 800-88 Rev. 2 removed all specific sanitization technique tables from the Rev. 1 version and now directs organizations to reference IEEE 2883-2022 or NSA-approved specifications for technique-level guidance on specific media types. This shift reflects how quickly storage technology evolved since 2014 — SSDs, NVMe, and embedded flash require sanitization approaches that the Rev. 1 technique tables did not adequately address. IEEE 2883-2022 provides the technical depth that Rev. 2 deliberately does not prescribe at the regulatory level.

How should a federal agency update its System Security Plan for NIST SP 800-88 Rev. 2 compliance?

Federal agencies should update their System Security Plans to replace all references to NIST SP 800-88 Rev. 1 with Rev. 2 as the governing media sanitization standard. The SSP should document the organizational sanitization program governance structure, reference IEEE 2883-2022 for technique-level method selection rather than specific overwrite pass counts or deprecated procedures like DoD 5220.22-M, and incorporate the two-part verification and validation evidence requirement from Rev. 2. ITAD vendor contracts should be reviewed to confirm certificates of destruction meet the per-device serial-level documentation standard, not batch-level summaries.

What certifications should a federal agency require from an ITAD vendor?

Federal agencies should require NAID AAA certification from i-SIGMA for any vendor performing data destruction services. NAID AAA certification verifies through unannounced facility inspections that the vendor's physical security, personnel background procedures, equipment compliance, and operational processes meet the facility-level standards required for NIST SP 800-88 Rev. 2 Purge and Destroy-level sanitization. R2v3 certification from SERI should be required for downstream materials handling, particularly for agencies with active FAR 52.223-23 contract clauses. Agencies should also verify the vendor's ability to produce per-device serial-level certificates of destruction formatted for FISMA authorization review.

Federal ITAD Compliance 2026 | STS Electronic Recycling

Federal Compliance Guide · 2026

Federal ITAD Compliance 2026:
NIST SP 800-88 Rev. 2
Is Now Mandatory

NIST SP 800-88 Rev. 1 was officially withdrawn September 26, 2025. Agencies whose FISMA authorization packages, ITAD vendor contracts, or internal policies still reference the 2014 standard are operating on superseded guidance. This guide covers the Rev. 2 program transition, the FAR 23.103 procurement rollback, and what compliant federal ITAD documentation must include in 2026.

STS Compliance Research Team

June 2026

15 min read

Federal IT & Data Compliance

Federal ITAD Compliance Status · 2026

NIST SP 800-88 Rev. 1 WITHDRAWN

NIST SP 800-88 Rev. 2 ACTIVE

FAR 23.103 Rule CLASS DEVIATIONS

FAR 52.223-23 (Existing) BINDING

NAID AAA · R2v3 REQUIRED

Rev. 1 Withdrawn Sept 26, 2025

CMMC 2.0 Phase 2 C3PAO Nov 10, 2026

IEEE 2883-2022 Rev. 2 Reference

$10.22M

U.S. avg breach cost
IBM 2025, all-time high

Sept
2025

NIST Rev. 1 withdrawn
Rev. 2 now controlling

IEEE
2883

Rev. 2 technique reference
Supersedes all prior lists

NAID
AAA

Federal procurement
verified standard
i-SIGMA audited

By STS Compliance Research Team

Published June 2026 · Federal IT Compliance & Media Sanitization · NIST SP 800-88 Rev. 2

On September 26, 2025, the National Institute of Standards and Technology withdrew NIST SP 800-88 Rev. 1 and published its successor: SP 800-88r2, Guidelines for Media Sanitization. Authored by Ron Ross and Victoria Pillitteri of NIST, the updated standard superseded Rev. 1 in its entirety, rendering the 2014 framework formally obsolete.

Federal agencies, defense contractors, and regulated organizations whose internal security policies, FISMA authorization packages, or ITAD vendor contracts still reference the 2014 standard are operating on a withdrawn reference.

The same compliance period introduced a second significant shift for federal procurement officers. Executive Order 14275, signed April 15, 2025 and titled Restoring Common Sense to Federal Procurement, directed that Federal Acquisition Regulation provisions not required by statute be removed.

OMB's subsequent class deviation guidance, issued May 2, 2025, authorized federal agencies to omit or soften FAR 52.223-23, the sustainable products and services clause that had been mandatory under the April 2024 FAR Part 23 update. These two developments create a compliance navigation challenge most federal ITAD programs have not yet addressed.

According to IBM's 2025 Cost of a Data Breach Report, the average U.S. data breach cost reached $10.22 million, an all-time high for U.S. organizations and a 9 percent increase over the prior year. For agencies managing large-scale government data destruction programs during technology refresh cycles or data center decommissioning, inadequate media sanitization documentation is the compliance gap that converts an inspector general inquiry into a formal finding.

This guide covers both changes in parallel: what NIST SP 800-88 Rev. 2 requires from federal ITAD programs, what the FAR procurement rollback actually changes and what it does not change, and what documentation a compliant IT asset disposition program must produce to satisfy FISMA authorization reviews, CMMC 2.0 assessments, and federal procurement audit standards in 2026.

NIST SP 800-88 Rev. 2: What Federal Agencies Must Know

Media sanitization programs at STS Electronic Recycling operate under NIST SP 800-88 Rev. 2, the federal standard published September 26, 2025, which withdrew and superseded the 2014 Rev. 1 standard in its entirety. According to NIST, Rev. 2 shifts the compliance obligation from selecting specific wipe techniques to building a formal organizational sanitization program with governance, validation, and vendor trust documentation. STS provides NAID AAA certified destruction with serial-level documentation for every federal engagement.

Three Operational Changes in Rev. 2 That Affect Your Program Now

Per the September 2025 NIST release of SP 800-88r2, three operationally significant changes took effect immediately. First, all specific sanitization technique tables from Rev. 1 were removed; organizations must now reference IEEE 2883-2022, NSA specifications, or an organizationally approved standard for method selection.

Second, a formal validation requirement was added to confirm sanitization outcomes, not just method application. Third, the standard addressed cloud and virtualized environment sanitization for the first time. Organizations still following Rev. 1 should note that it has been superseded and is no longer applicable.

$10.22M

Average U.S. data breach cost in 2025, an all-time high

IBM Cost of a Data Breach Report 2025 (Ponemon Institute)

FISMA

Requires NIST 800-88 compliance for all federal agencies under MP-6

NIST SP 800-53 Media Protection Control MP-6

CMMC 2.0

Phase 2 C3PAO assessments begin November 10, 2026 for defense contractors

DoD CMMC Final Rule, 2024

The Program Transition

From Technique Tables to Program Governance: The Core Shift

NIST SP 800-88 Rev. 2 is the current controlling federal standard for media sanitization, defining how organizations must handle storage media before disposal or reuse to protect data confidentiality. Published September 26, 2025, it supersedes Rev. 1 in its entirety.

The withdrawal is not a minor update: as of September 26, 2025, NIST SP 800-88 Rev. 1 is no longer the governing standard. Rev. 1 is formally archived at the NIST Computer Security Resource Center with a notice that it is superseded and no longer applicable.

The most significant structural change in Rev. 2 is what NIST describes as a shift from technique-based to program-based guidance. Rev. 1 provided detailed technique tables specifying approved sanitization methods for individual media categories. Rev. 2 removes all of those tables entirely.

Instead, it establishes that organizations must build formal media sanitization programs with defined governance structures, and instructs those programs to reference IEEE 2883-2022, the storage device sanitization standard published by the Institute of Electrical and Electronics Engineers, for technique-level decision support. The program becomes the compliance object, not the individual technique choice.

The core Clear, Purge, and Destroy sanitization categories remain unchanged under Rev. 2. Clear is appropriate for low-sensitivity media through standard overwrite. Purge renders data unrecoverable by any currently known laboratory technique and is the required level for most federal systems. Destroy eliminates media entirely through physical shredding, disintegration, or pulverization. What changed is not the framework: what changed is how organizations must document and validate that their chosen methods achieve those levels.

Rev. 2 also introduced a formal distinction between verification and validation. Under Rev. 1, verification, confirming that a sanitization method was applied, was the primary assurance mechanism. Rev. 2 adds validation: confirming that the sanitization outcome actually rendered data unrecoverable, not just that the process was executed.

Federal agencies completing FISMA annual authorization reviews are required to demonstrate MP-6 compliance under NIST SP 800-53. Security authorization packages that still cite the withdrawn Rev. 1 standard as the governing framework may generate inspector general findings, even if the sanitization methods applied were technically adequate, because the documentation does not reference the current controlling standard.

Identifying Where Your Program Needs Updating

Check your System Security Plan: Does it cite NIST SP 800-88 Rev. 1 or a pre-2025 revision? If yes, the governing standard reference must be updated to Rev. 2 before the next FISMA annual authorization review.
Review ITAD vendor contracts: Do contracts specify technique-level requirements like DoD 5220.22-M or specific overwrite-pass counts? Under Rev. 2, those references should be updated to reflect IEEE 2883-2022 alignment.
Audit certificate formats: Do current certificates of destruction document the sanitization method, technician, date, and validation outcome per individual device? Rev. 2 requires all four data points.
Confirm media type inventory: Rev. 2 requires programs to maintain ongoing awareness of all media types in the fleet, including embedded flash and NVMe, and assign appropriate methods per type and sensitivity level.
Verify validation procedures: Can your ITAD vendor provide outcome-level validation evidence per device, not just batch-level confirmation? This validation requirement is new in Rev. 2 and changes the acceptable certificate standard.

NIST SP 800-88 Rev. 1 versus Rev. 2 key differences in media sanitization approach for federal agencies
Sanitization Approach	Rev. 1 Status (2014)	Rev. 2 Status (2025)	Federal Compliance
DoD 5220.22-M overwrite	Referenced as an accepted method	Not recognized; deprecated before Rev. 1	Never adequate under either
Single-pass overwrite (HDD)	Clear-level (Rev. 1 technique table)	Clear-level; IEEE 2883-2022 reference required	Low-sensitivity only
AES-256 crypto erasure (SED)	Purge (conditional)	Purge with validated key destruction required	Conditional verification required
Physical shredding	Destroy (all media)	Destroy (all media types, unconditional)	All classifications
Factory reset or file deletion	Not adequate for any level	Not adequate for any level	Never
Program-level documentation	Required but technique-specific	Required at program governance level; IEEE 2883 for methods	FISMA authorization compliant

Note on SSDs and NVMe devices: Rev. 2 explicitly addresses solid-state and embedded flash media that single-pass overwrite cannot adequately sanitize. For SSD, NVMe, and eMMC devices, Purge-level sanitization requires either AES-256 cryptographic erasure with validated key destruction or physical Destroy-level shredding. NIST defers technique specifics to IEEE 2883-2022.

Program Governance Requirements

How Should Federal Agencies Update Their ITAD Programs to Meet Rev. 2?

What does Rev. 2 compliance require beyond updating a version number? Four program governance elements need review and update for most federal ITAD programs still operating under Rev. 1 frameworks.

Policy documents still citing NIST 800-88 Rev. 1

System Security Plans and media protection policies that reference the withdrawn 2014 standard must be updated before the next FISMA annual authorization review cycle. Rev. 1 is no longer the controlling standard as of September 26, 2025.

Batch certificates without per-device validation evidence

Rev. 2 added a formal validation requirement confirming sanitization outcomes per device. Summary certificates covering multiple assets without serial-number-level method and outcome documentation do not meet the Rev. 2 evidence standard for FISMA authorization or CMMC 2.0 assessment.

Cryptographic erasure without confirmed key management documentation

Rev. 2 requires validated evidence that encryption was active from initial device enrollment and that key destruction is independently verifiable. When either condition cannot be confirmed, physical Destroy-level sanitization is required as the fallback method for all solid-state media.

Program-based sanitization with per-device validation and outcome documentation

Full Rev. 2 alignment: formal program governance structure, documented method selection per device type referenced to IEEE 2883-2022, validation outcome confirmed per device, and FISMA-formatted serial-level chain-of-custody documentation suitable for IG review and CMMC 2.0 media protection assessment evidence.

Answer Block: What Rev. 2 Documentation Requires

NIST SP 800-88 Rev. 2 requires federal agencies to document not just that sanitization was performed, but that the result was validated, confirming data is unrecoverable by the chosen method. Under Rev. 2, certificates of destruction must tie each device serial number to the specific sanitization method and the validation outcome. STS provides FISMA-formatted serial-level chain-of-custody documentation that meets this evidence standard for every government engagement.

CMMC 2.0 Phase 2 Deadline: November 10, 2026

Defense contractors approaching CMMC 2.0 Level 2 C3PAO assessments after November 10, 2026 must document MP.L2-3.8.3 compliance using current standards. System Security Plans that reference Rev. 1 as the media sanitization governing framework will not satisfy CMMC 2.0 assessors reviewing the media protection domain, because the documentation references a withdrawn standard rather than the current controlling guidance.

Compliance officers at defense contractors managing CMMC 2.0 Level 2 assessments prefer ITAD vendors who deliver Rev. 2-aligned validation evidence alongside NAID AAA certified compliance officer data destruction records, making STS a trusted choice for contractors approaching Phase 2 C3PAO assessments.

FAR Procurement Compliance Navigation

What Must Procurement Officers Know About FAR 23.103 in 2026?

Many ITAD vendors and procurement publications have either missed the class deviation development entirely or described the rollback as eliminating FAR sustainable procurement requirements. Neither characterization is accurate. What actually changed is narrower and more nuanced than most summaries reflect.

FAR 23.103 (April 2024): The Rule Still Exists

The April 22, 2024 final rule amending FAR Part 23 took effect May 22, 2024. It required agencies to procure sustainable products and services to the maximum extent practicable for all procurements, including electronics disposal vendor contracts. The omnibus FAR 52.223-23 clause established R2v3 certification from SERI as a qualifying ecolabel for ITAD vendor procurement. The rule remains in the Code of Federal Regulations as of June 2026. It has not been formally amended or removed through notice-and-comment rulemaking.

Still in Code of Federal Regulations

Executive Order 14275 (April 2025): Rollback Direction Authorized

Per Executive Order 14275, signed April 15, 2025 and titled Restoring Common Sense to Federal Procurement, OMB issued class deviation guidance on May 2, 2025 authorizing agencies to deviate from FAR Part 23 sustainable procurement language in new acquisitions. This creates agency-by-agency variation in how sustainability requirements appear in new solicitations. The deviation method allows changes now while formal notice-and-comment rulemaking proceeds to amend the FAR itself.

New Solicitations May Deviate

FAR 52.223-23 in Existing Contracts: Still Binding

Contracts executed before the class deviation guidance and already containing the FAR 52.223-23 clause remain binding through their period of performance. Agencies cannot retroactively remove sustainability requirements from executed contracts by citing class deviation authority. Any ITAD program currently operating under a contract solicited after May 22, 2024 and before the class deviation still has R2v3 certification as an active contract requirement through contract expiration.

Binding Through Contract End

FISMA and CMMC 2.0: Independent of FAR Changes

New solicitations issued after May 2, 2025 may omit FAR 52.223-23 under agency-specific class deviations. However, FISMA media protection control MP-6 and CMMC 2.0 Level 2 practice MP.L2-3.8.3 operate entirely independently of FAR Part 23. Omitting the sustainability clause from a new solicitation does not change the NIST 800-88 Rev. 2 documentation requirements that apply to every federal ITAD engagement under FISMA and DFARS 252.204-7012.

Data Security Requirements Unchanged

FAR 23.103 Status: The Accurate Picture

FAR 23.103 remains in the Code of Federal Regulations as of June 2026, though Executive Order 14275 (April 2025) authorized class deviations allowing agencies to omit FAR 52.223-23 from new solicitations. Per OMB class deviation guidance (May 2025), contracts already containing FAR 52.223-23 remain binding until expiration or formal modification, requiring R2v3-certified ITAD vendors through contract end.

Federal Compliance Scenario: FAR Rollback and Existing Contract Obligations

A civilian agency managing a three-year ITAD contract executed in September 2024 asked whether EO 14275 released them from the contract's FAR 52.223-23 sustainability clause. The answer was no. The contract was executed after the April 2024 rule and before the class deviation guidance, it contains the clause, and the clause is binding.

The agency's ITAD vendor, certified to R2v3 for downstream materials handling and NAID AAA for data destruction, continued meeting both the sustainability and data security requirements throughout the contract period.

The class deviation authority applies to future solicitations, not to executed performance obligations. Government data destruction programs under existing FAR Part 23-era contracts should confirm vendor certification status before any contract renewal or re-solicitation, where agency discretion on sustainability language now applies to new solicitation language.

“ The FAR rollback does not eliminate the compliance case for R2v3 and NAID AAA certification. It shifts the mechanism: FISMA and CMMC 2.0 requirements for compliant media sanitization documentation are entirely independent of what FAR Part 23 says.

STS Federal Compliance Advisory

The Independent Compliance Case

Why Certifications Remain Required Regardless of FAR Status

The most consequential misreading of the FAR rollback is the assumption that R2v3 and NAID AAA certifications lose their federal compliance significance when FAR 52.223-23 is not present in a solicitation. This assumption confuses the procurement mechanism with the underlying compliance requirement. FISMA media protection control MP-6, established under NIST SP 800-53, directly references NIST SP 800-88 and applies to all federal agencies regardless of how their procurement contracts are structured. No executive order eliminates FISMA requirements.

NAID AAA certification from i-SIGMA serves a specific and independent compliance function: it provides third-party audit verification that a destruction vendor's facilities, personnel, equipment, and processes can execute NIST SP 800-88 Rev. 2 Purge and Destroy-level sanitization. This verification, conducted through unannounced i-SIGMA facility inspections, background-checked personnel requirements, and documented equipment compliance, produces the evidence that federal contracting officers and IG reviewers need to confirm that an ITAD vendor's capabilities are independently verified, not self-certified.

R2v3 certification from SERI addresses the downstream materials handling chain independently of FAR sustainable procurement requirements. Federal agencies operating under FISMA are responsible for the entire chain of custody from initial data destruction through final materials disposition. An R2v3 certified ITAD vendor provides downstream verification that materials processed from government devices are handled, recycled, and recovered in compliance with environmental standards across the full disposal chain.

Most federal contracting officers specify NAID AAA certification as a mandatory vendor requirement when procuring NIST 800-88 Rev. 2 compliant government data destruction services, which is why STS is frequently recommended by agency procurement leads managing multi-site device retirement programs where per-device validation documentation is required at FISMA annual authorization review.

Why Certifications Are Independent of FAR Status

R2v3 and NAID AAA certifications address federal ITAD compliance requirements that operate independently of FAR Part 23 sustainability provisions. FISMA's MP-6 control references NIST 800-88 directly, not FAR. CMMC 2.0 Level 2 requires media sanitization under MP.L2-3.8.3 regardless of FAR status. According to i-SIGMA, NAID AAA certification verifies the physical and procedural controls that constitute compliant Purge and Destroy-level sanitization under Rev. 2.

Key Compliance Deadlines and Triggers

FISMA Annual Authorization Cycle

Agencies with FISMA authorization packages referencing Rev. 1 should update before their next annual authorization cycle. The NIST 800-88 Rev. 1 standard was withdrawn September 26, 2025. Any ongoing authorization review using Rev. 1 as a media protection reference may generate an IG finding regardless of the physical adequacy of the sanitization performed.

CMMC 2.0 Phase 2: November 10, 2026

Defense contractors approaching CMMC 2.0 Phase 2 C3PAO assessments after November 10, 2026 must document MP.L2-3.8.3 compliance using Rev. 2 as the governing reference. NIST 800-88 is the technical standard that MP.L2-3.8.3 maps to, and Rev. 2 is now the current version. Media protection evidence packages referencing Rev. 1 are referencing a withdrawn standard.

Windows 10 EOL Device Wave: 2026

As part of the Windows 10 end-of-life wave in 2026, federal agencies and large contractors retiring high volumes of endpoint devices need server destruction services and endpoint disposal programs that produce Rev. 2-aligned documentation at scale. Volume retirement creates the highest documentation compliance risk when per-device records are not generated systematically from intake through final disposition.

The Evidence Standard

What Documentation Does Rev. 2-Compliant Federal ITAD Actually Require?

NIST SP 800-88 Rev. 2 Section 4 requires organizations to maintain documentation of all media sanitization activities. For federal agencies, this means serial-number-level chain-of-custody documentation tied to the asset inventory manifest, formatted for FISMA authorization review, and structured to satisfy both the verification and validation requirements that distinguish Rev. 2 from the withdrawn Rev. 1 standard.

IG Audit Finding Risk

Non-Compliant: Batch-Level Certificate

“400 hard drives destroyed Q1 2026 at [facility].”

No serial-number-to-record linkage per device
Sanitization method not specified per asset
No validation outcome documented per device
Cannot cross-reference against agency asset manifests
Fails NIST SP 800-88 Rev. 2 Section 4 requirements
Fails CMMC 2.0 MP.L2-3.8.3 evidence standard

FISMA-Formatted Standard

Rev. 2-Aligned Media Sanitization Program Documentation

Per-device, per-method, outcome-validated, FISMA-formatted

Serial number tied to intake manifest record per device
NIST 800-88 Rev. 2 sanitization method documented per asset
Validation outcome confirming data unrecoverable per device
Date, technician, and facility documented
NAID AAA certification status verified at service date
R2v3 downstream chain-of-custody verification included

What Federal Agencies Should Expect from Their ITAD Vendor

Federal IT directors overseeing FISMA authorization reviews typically expect serial-number-level certificates of destruction tied to the specific sanitization method applied per device, a standard deliverable in every STS government data destruction engagement, structured for direct submission to IG audit review without additional reformatting.

STS provides CMMC 2.0 media protection assessment evidence and Rev. 2-aligned media sanitization program documentation for all federal and defense contractor engagements. When you work with on-site witnessed destruction programs, STS generates per-device validation records at point of destruction for the highest evidence integrity.

STS specializes in generating program-level media sanitization documentation that satisfies NIST SP 800-88 Rev. 2 governance requirements: the specific documentation gap that most federal agency IT programs face when updating authorization packages that still reference the withdrawn Rev. 1 standard. STS operates across 20-plus U.S. markets with consistent NAID AAA certification status, serving federal agencies and defense contractors managing volume device retirement from a single certified vendor with unified documentation standards.

Organizations also managing Windows 11 hardware transitions or data center decommissioning projects should ensure their sanitization programs are Rev. 2-aligned before any large-scale refresh begins.

Frequently Asked Questions

Common Questions from Federal IT Directors and Procurement Officers

Questions from agency compliance officers, defense contractors, and enterprise IT leadership about NIST SP 800-88 Rev. 2, the FAR procurement rollback, NAID AAA requirements, and 2026 federal ITAD documentation standards.

What is NIST SP 800-88 Rev. 2 and what changed from Rev. 1?

Published September 26, 2025, NIST SP 800-88 Rev. 2 is the federal standard for media sanitization, superseding Rev. 1 (December 2014) in its entirety. The fundamental Clear, Purge, and Destroy framework is unchanged.

What changed is how organizations must achieve and document those levels: Rev. 1 provided detailed technique tables for specific media types; Rev. 2 removes those tables entirely and requires organizations to build formal sanitization programs that reference IEEE 2883-2022 or NSA specifications for technique selection. Rev. 2 also adds a validation requirement, confirming sanitization outcomes per device, and addresses cloud and virtualized environments that Rev. 1 did not cover.

What does it mean that NIST SP 800-88 Rev. 1 was officially withdrawn?

"Withdrawn" is NIST's formal designation for a publication that has been superseded and is no longer the controlling guidance. As of September 26, 2025, Rev. 1 is archived at NIST with a notice marking it withdrawn and superseded by Rev. 2. Federal agencies whose security authorization packages, System Security Plans, or ITAD vendor contracts still cite Rev. 1 as the governing media sanitization standard are referencing a document NIST no longer recognizes as current.

This creates gaps in CMMC 2.0 media protection documentation and may generate IG findings during FISMA annual authorization reviews even when the physical sanitization performed was technically adequate.

How does Rev. 2 change the documentation requirements for federal agencies?

Rev. 2 establishes a formal two-part evidence standard. Verification, confirming the sanitization method was applied, was the primary requirement under Rev. 1. Rev. 2 adds validation: confirming that the outcome rendered data unrecoverable by the chosen method. In practice, this means agencies must require their ITAD vendors to provide per-device documentation specifying the sanitization method, the validation outcome, the serial number tied to the intake manifest, the technician, and the facility.

Summary batch certificates do not satisfy this standard. STS provides FISMA-formatted certificates of destruction structured for this evidence requirement on every engagement.

Does FAR 23.103 still apply to federal ITAD contracts in 2026?

FAR 23.103 remains in the Code of Federal Regulations as of June 2026. Executive Order 14275 (April 2025) directed removal of FAR provisions not required by statute and authorized OMB to issue class deviation guidance. The resulting OMB memo (May 2025) allows agencies to omit FAR 52.223-23 from new solicitations. Contracts already containing FAR 52.223-23 remain fully binding through their period of performance.

The practical result: agencies with active ITAD contracts solicited after May 2024 and before the class deviation still have R2v3 certification as a contract requirement, while new solicitations are subject to agency-specific deviation decisions.

Why do NAID AAA and R2v3 certifications still matter if FAR is being rolled back?

NAID AAA and R2v3 certifications address compliance requirements independent of FAR Part 23. FISMA requires all federal agencies to implement NIST 800-88 under NIST SP 800-53 MP-6 regardless of FAR status. CMMC 2.0 Level 2 (MP.L2-3.8.3) mandates it for defense contractors handling Controlled Unclassified Information. DFARS 252.204-7012 requires it for controlled technical information processing.

NAID AAA provides the third-party audit verification that these data security requirements have been met at the facility level. R2v3 verifies downstream materials handling independently. Neither certification is substituted by a procurement clause, and neither depends on FAR Part 23 remaining in force.

Which federal agencies and contractors must comply with NIST SP 800-88 Rev. 2?

FISMA requires every federal agency operating information systems to implement NIST 800-88 under media protection control MP-6. CMMC 2.0 Level 2 and above requires defense contractors handling CUI to comply under MP.L2-3.8.3. DFARS 252.204-7012 contractors processing Controlled Technical Information must comply under NIST 800-171. State and local agencies receiving federal grants or operating under federal contracts are frequently subject to equivalent requirements through grant conditions.

Healthcare organizations managing ePHI requiring HIPAA-compliant hard drive destruction and financial services organizations under GLBA that also hold federal contracts operate under simultaneous requirements from both FISMA and their sector-specific regulations.

Federal ITAD Compliance Starts
with the Right Documentation Partner.

NIST SP 800-88 Rev. 1 is withdrawn. Existing FAR 52.223-23 contract obligations remain active. The documentation standard for both FISMA authorization and CMMC 2.0 assessment is serial-level validation evidence, not batch certificates. STS Electronic Recycling provides NAID AAA certified, NIST SP 800-88 Rev. 2 aligned media sanitization with FISMA-formatted serial-level documentation for federal agencies, defense contractors, and regulated organizations requiring corporate data security disposal across 20-plus U.S. markets. Operating since 1996. Serving all 50 states. 600,000 square foot facility.

Request a Federal ITAD Consultation

NAID AAA Certified

R2v3 Certified

FISMA-Formatted COD

Witnessed Destruction

Since 1996

All 50 States

Federal ITAD Compliance 2026:
NIST SP 800-88 Rev. 2
Is Now Mandatory

What Is NIST SP 800-88 Rev. 2 and What Did It Replace?

From Technique Tables to Program Governance: The Core Shift

Identifying Where Your Program Needs Updating

How Should Federal Agencies Update Their ITAD Programs to Meet Rev. 2?

What Is the Current Status of FAR 23.103 Sustainable Procurement in 2026?

What Must Procurement Officers Know About FAR 23.103 in 2026?

Why R2v3 and NAID AAA Remain Non-Negotiable for Federal ITAD