Guidance for NIST 800-171 Assessment & Compliance
Applicable (Y)es / (N)o |
(C)onfidentiality |
(I)ntegrity |
(A)vailability |
RPN (C+I+A) |
(S)atisfactory |
||||||
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
L1 |
M2 |
H3 |
(O)ther than satisfactory +## |
||
|
|
|
|
|
|
|
|
|
|
|
|
###
mp-8 |
media downgrading |
||
|
assessment objective: Determine if the organization: |
||
mp-8(a) |
mp-8(a)[1] |
defines the information system media downgrading process; |
|
mp-8(a)[2] |
defines the strength and integrity with which media downgrading mechanisms are to be employed; |
||
mp-8(a)[3] |
establishes an organization-defined information system media downgrading process that includes employing downgrading mechanisms with organization-defined strength and integrity; |
||
mp-8(b) |
ensures that the information system media downgrading process is commensurate with the: |
||
mp-8(b)[1] |
security category and/or classification level of the information to be removed; |
||
mp-8(b)[2] |
access authorizations of the potential recipients of the downgraded information; |
||
mp-8(c) |
identifies/defines information system media requiring downgrading; and |
||
mp-8(d) |
downgrades the identified information system media using the established process. |
||
potential assessment methods and objects: Examine: [select from: Information system media protection policy; procedures addressing media downgrading; system categorization documentation; list of media requiring downgrading; records of media downgrading; audit records; other relevant documents or records]. Interview: [select from: Organizational personnel with information system media downgrading responsibilities; organizational personnel with information security responsibilities; system/network administrators]. Test: [select from: Organizational processes for media downgrading; automated mechanisms supporting and/or implementing media downgrading]. |
|||
