What a NIST 800-88 wipe certificate actually contains

Auditors love evidence; they tolerate explanations. So when a device leaves a fleet, the certificate of destruction is the artefact that closes the loop, and the artefact that gets opened first in the audit packet.

A NIST 800-88-aligned wipe certificate, in our format, contains: device serial, asset tag, sanitisation method (purge or clear), tooling and version, operator initials, date and time, and the result code. It is signed digitally and tied to a per-fleet evidence ledger so an auditor can pull a date range and see every offboarded unit.

What it does not contain — because the standard does not require it and pretending it does would be unhelpful — is a forensic-grade attestation of physical destruction. For that, the device routes through a certified facility and you get a separate physical-destruction certificate. We bill that as a passthrough; it is genuinely not where we want to make margin.

Most regulated KR customers we work with are satisfied with the digital certificate plus a quarterly export. Defense and a few national-financial use cases require both layers. Either is fine — what matters is that the choice is documented before the first unit ships, not negotiated during the audit.