3.8.9—Media Protection - Derived
Derived Requirement
>Control Description
Protect the confidentiality of backup CUI at storage locations.
>Discussion
Organizations can employ cryptographic mechanisms or alternative physical controls to protect the confidentiality of backup information at designated storage locations. Backed-up information containing CUI may include system-level information and user-level information. System-level information includes system-state information, operating system software, application software, and licenses.
User-level information includes information other than system-level information.
>Cross-Framework Mappings
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern downgrading of media containing CUI?
- •What procedures define media downgrading processes?
- •Who has authority to approve media downgrading?
- •How do you verify CUI is completely removed before downgrading?
- •What governance ensures proper media classification changes?
Technical Implementation:
- •What sanitization methods support media downgrading?
- •How do you technically verify CUI removal from media?
- •What forensic tools confirm complete data removal?
- •What controls prevent premature media downgrading?
- •How do you re-mark or re-label downgraded media?
Evidence & Documentation:
- •Can you provide media downgrading procedures?
- •What documentation shows downgrading approvals?
- •Can you demonstrate CUI removal verification methods?
- •What records track media downgrading activities?
- •What audit evidence verifies proper media downgrading?
Ask AI
Configure your API key to use AI features.