MP-8: Media Downgrading
Control Family:
Threats Addressed:
Baselines:
- Low
N/A
- Moderate
N/A
- High
N/A
- Privacy
N/A
Previous Version:
- NIST Special Publication 800-53 Revision 4:
- MP-8: Media Downgrading
Control Statement
- Establish [Assignment: organization-defined system media downgrading process] that includes employing downgrading mechanisms with strength and integrity commensurate with the security category or classification of the information;
- Verify that the system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;
- Identify [Assignment: organization-defined system media requiring downgrading]; and
- Downgrade the identified system media using the established process.
Supplemental Guidance
Media downgrading applies to digital and non-digital media subject to release outside of the organization, whether the media is considered removable or not. When applied to system media, the downgrading process removes information from the media, typically by security category or classification level, such that the information cannot be retrieved or reconstructed. Downgrading of media includes redacting information to enable wider release and distribution. Downgrading ensures that empty space on the media is devoid of information.
Control Enhancements
MP-8(1): Documentation of Process
Baseline(s):
Document system media downgrading actions.
MP-8(2): Equipment Testing
Baseline(s):
Test downgrading equipment and procedures [Assignment: organization-defined frequency] to ensure that downgrading actions are being achieved.
MP-8(3): Controlled Unclassified Information
Baseline(s):
Downgrade system media containing controlled unclassified information prior to public release.
MP-8(4): Classified Information
Baseline(s):
Downgrade system media containing classified information prior to release to individuals without required access authorizations.