National Vulnerability Database

National Vulnerability Database

National Vulnerability
Database

NIST Special Publication 800-53 (Rev. 4)

Security Controls and Assessment Procedures for Federal Information Systems and Organizations

MP-8 MEDIA DOWNGRADING

Family:
MP - MEDIA PROTECTION
Class:
Priority:
P0 - Unspecified priority.
Baseline Allocation:
Low Moderate High
N/A N/A N/A

Control Description

The organization:

a. Establishes [Assignment: organization-defined information system media downgrading process] that includes employing downgrading mechanisms with [Assignment: organization-defined strength and integrity];

b. Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;

c. Identifies [Assignment: organization-defined information system media requiring downgrading]; and

d. Downgrades the identified information system media using the established process.

Supplemental Guidance

This control applies to all information system media, digital and non-digital, subject to release outside of the organization, whether or not the media is considered removable. The downgrading process, when applied to system media, removes information from the media, typically by security category or classification level, such that the information cannot be retrieved or reconstructed. Downgrading of media includes redacting information to enable wider release and distribution. Downgrading of media also ensures that empty space on the media (e.g., slack space within files) is devoid of information.

Related to:

Control Enhancements

MP-8(1) MEDIA DOWNGRADING | DOCUMENTATION OF PROCESS
The organization documents information system media downgrading actions.
Supplemental Guidance: Organizations can document the media downgrading process by providing information such as the downgrading technique employed, the identification number of the downgraded media, and the identity of the individual that authorized and/or performed the downgrading action.
MP-8(2) MEDIA DOWNGRADING | EQUIPMENT TESTING
The organization employs [Assignment: organization-defined tests] of downgrading equipment and procedures to verify correct performance [Assignment: organization-defined frequency].
MP-8(3) MEDIA DOWNGRADING | CONTROLLED UNCLASSIFIED INFORMATION
The organization downgrades information system media containing [Assignment: organization-defined Controlled Unclassified Information (CUI)] prior to public release in accordance with applicable federal and organizational standards and policies.
MP-8(4) MEDIA DOWNGRADING | CLASSIFIED INFORMATION
The organization downgrades information system media containing classified information prior to release to individuals without required access authorizations in accordance with NSA standards and policies.
Supplemental Guidance: Downgrading of classified information uses approved sanitization tools, techniques, and procedures to transfer information confirmed to be unclassified from classified information systems to unclassified media.

References

None.