The organization:
-
a: Establishes [organization-defined information system media downgrading process] that includes employing downgrading mechanisms with [organization-defined strength and integrity];
-
b: Ensures that the information system media downgrading process is commensurate with the security category and/or classification level of the information to be removed and the access authorizations of the potential recipients of the downgraded information;
-
c: Identifies [organization-defined information system media requiring downgrading]; and
-
d: Downgrades the identified information system media using the established process.
Supplemental
This control applies to all information system media, digital and non-digital, subject to release outside of the organization, whether or not the media is considered removable. The downgrading process, when applied to system media, removes information from the media, typically by security category or classification level, such that the information cannot be retrieved or reconstructed. Downgrading of media includes redacting information to enable wider release and distribution. Downgrading of media also ensures that empty space on the media (e.g., slack space within files) is devoid of information.