MP-8: Media Downgrading

Control Family:

Media Protection

CSF v1.1 References:

CSF v2.0 References:

PF v1.0 References:

Threats Addressed:


  • Low


  • Moderate


  • High


  • Privacy


Previous Version:

Control Statement

  1. Establish [Assignment: organization-defined system media downgrading process] that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;
  2. Verify that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;
  3. Identify [Assignment: organization-defined system media requiring downgrading]; and
  4. Downgrade the identified system media using the established process.

Supplemental Guidance

Media downgrading applies to digital and non-digital media subject to release outside of the organization, whether the media is considered removable or not. When applied to system media, the downgrading process removes information from the media, typically by security category or classification level, such that the information cannot be retrieved or reconstructed. Downgrading of media includes redacting information to enable wider release and distribution. Downgrading ensures that empty space on the media is devoid of information.

Control Enhancements

MP-8(2): Equipment Testing


(Not part of any baseline)

Test downgrading equipment and procedures [Assignment: organization-defined frequency] to ensure that downgrading actions are being achieved.

MP-8(4): Classified Information


(Not part of any baseline)

Downgrade system media containing classified information prior to release to individuals without required access authorizations.