Skip to main content
Home · Compliance · IEEE 2883-2022
Standard · IEEE 2883

IEEE 2883-2022

IEEE Standard 2883-2022, published in 2022, is the current authoritative standard for sanitising solid-state storage — SSDs, NVMe drives, and self-encrypting drives based on NAND flash.

It supersedes the older NIST SP 800-88 SSD guidance and corrects the longstanding error of treating solid-state media as if it were spinning disk. Maxicom applies IEEE 2883-2022 to every retiring SSD/NVMe drive in our pipeline; the firmware Sanitize command and its verification response are documented on every per-asset certificate.

Why SSDs cannot be reliably overwritten

SSDs use wear-levelling, over-provisioning, and bad-block remapping. A logical overwrite written to a particular Logical Block Address (LBA) does not necessarily overwrite the underlying flash cell — the controller may write to a fresh cell while the original retains the data. Multi-pass overwrite (DoD 5220.22-M, Gutmann) is therefore not appropriate for SSDs. The amount of "hidden" capacity in over-provisioning on enterprise SSDs is typically 7-28% of advertised capacity; data sitting in those reserved cells is invisible to logical-level overwrite. IEEE 2883-2022 was published specifically to address this.

The two Sanitize commands defined by IEEE 2883-2022

BLOCK ERASE — issues an erase to every flash cell on the drive, including over-provisioned regions. Returns the drive to factory state. Time-to-completion varies by capacity and controller: typically 30 seconds to several minutes for an enterprise SSD. The certificate captures the start and completion timestamps. CRYPTO ERASE — destroys the internal Media Encryption Key (MEK) used by the drive's self-encryption layer. Once the MEK is gone, all the encrypted ciphertext on the flash cells is unrecoverable in cryptographically-meaningful timescales (i.e. forever, for AES-256). Time-to-completion: microseconds. The certificate captures the encryption algorithm (typically AES-256-XTS for SED SSDs), the key destruction method, and the verification response.

Protocol-level Sanitize implementation

NVMe → NVMe Sanitize command (specification revision 1.3 onward). SAS SSD → SCSI Sanitize command. SATA SSD → ATA Sanitize command. Maxicom executes the protocol-appropriate command via vendor-supplied tooling (Dell, HPE, Samsung, Micron, Intel/Solidigm, Kioxia, WD, Seagate management utilities) and via vendor-neutral tooling (Parted Magic, hdparm with sanitize support, nvme-cli). The certificate names the tool used and the protocol command issued.

Verification per IEEE 2883-2022

IEEE 2883-2022 requires verification of Sanitize completion. Verification is the read-back of representative blocks confirming the original data is no longer present, plus capture of the controller-reported Sanitize status code confirming completion without errors. Maxicom captures both: the controller status response and a verification-block read-back. The certificate names both verification steps.

Where IEEE 2883-2022 fits relative to NIST 800-88 Rev. 1

NIST 800-88 Rev. 1 (2014) is the universal sanitisation framework; it directs to firmware-based methods for SSDs but predates the formal IEEE 2883 specification. IEEE 2883-2022 is the SSD-specific specification that formalises what NIST 800-88 Rev. 1 directed to. The two standards are compatible and complementary — NIST 800-88 Rev. 1 establishes the framework; IEEE 2883-2022 establishes the SSD-specific method. Maxicom certificates name both standards where applicable.

Regulator stack matrix: NIST, IEEE, NAID-grade, plus local privacy and sector regulators. Regulator stack — by region Every Maxicom certificate is admissible against the full stack simultaneously UNIVERSAL NIST SP 800-88 Rev. 1 · IEEE 2883-2022 · DoD 5220.22-M · NAID-grade Protocol 🇮🇳 INDIA INR · IST PRIVACY DPDPA 2023 BFSI RBI IT-Risk SECTOR-SPECIFIC SEBI · IRDAI · CERT-In · CPCB 🇨🇦 CANADA CAD · EST PRIVACY PIPEDA · Quebec Law 25 BFSI OSFI Guideline B-13 SECTOR-SPECIFIC PIPA (AB/BC) · PHIPA · ITSG-33 🇸🇬 SINGAPORE SGD · SGT PRIVACY PDPA Section 24 BFSI MAS TRM SECTOR-SPECIFIC IMDA · NEA Resource Sustainability Act 🇦🇪 UAE AED · GST PRIVACY UAE PDPL Article 21 BFSI Central Bank UAE SECTOR-SPECIFIC TDRA · DIFC DPL · ADGM · NESA
Reviewed by the Maxicom compliance desk. Last updated April 2026.
Operates to NIST 800-88 · UU PDP · OJK · BSSN · Permen LHK 6/2021 · IEEE 2883-2022
Frequently asked questions

Frequently asked questions

What is the difference between Block Erase and Crypto Erase under IEEE 2883?

Block Erase issues an erase command to every flash cell — the data is physically erased. Time-to-completion: 30 seconds to several minutes. Crypto Erase destroys the Media Encryption Key — the data on flash is still there but encrypted under a destroyed key, so unrecoverable. Time-to-completion: microseconds. For drives that were operating with self-encryption enabled, both achieve the same end state; Crypto Erase is faster.

Is IEEE 2883-2022 mandatory, or just recommended?

It is the current authoritative standard for SSD sanitisation and is referenced by NIST 800-88 Rev. 1 as the firmware-based method. Most regulators in our markets accept IEEE 2883-2022 Sanitize as compliant under their SSD-specific rules. Where a contract specifies an older standard (DoD 5220 multi-pass overwrite for SSDs) we issue an exception note documenting why IEEE 2883 is being applied instead, with the data owner's acknowledgement.

Does IEEE 2883-2022 apply to memory-class devices like Optane PMem?

For Intel Optane Persistent Memory (3D XPoint based) operating in App Direct mode (data-bearing), the analogous Sanitize is via the Intel ipmctl tool. Optane PMem is not flash; technically outside IEEE 2883 scope but the principle is the same. We document on per-DIMM certificate.

What about USB flash drives and SD cards?

IEEE 2883-2022 applies in principle but consumer-grade flash storage frequently does not implement the firmware Sanitize command. For these devices NIST 800-88 Rev. 1 explicitly recommends Destroy rather than attempt Purge. Maxicom routes consumer flash to physical destruction.

How do I verify the Sanitize actually completed?

The drive controller returns a status code on Sanitize completion (NVMe: SANITIZE STATUS; SCSI: REQUEST SENSE; ATA: SANITIZE STATUS). Maxicom captures the status code on every certificate. Plus a representative-block read-back as a verification step.

What about emerging storage classes — CXL memory, computational storage drives?

IEEE 2883-2022 covers solid-state storage broadly; emerging classes are accommodated as the controller exposes Sanitize. For CSDs and CXL-attached storage we work to the device-specific firmware command set; the certificate names the device class and the sanitise method.

When you are ready

Send the asset list. We will send the number.

A photograph of the rack works. A spreadsheet works better. IDR settlement, against PO.

purchase@maxicomglobal.com · 1 business day