Check media containing diagnostic and test programs for malicious code before use
π What This Means
This practice requires organizations to scan any media (such as USB drives, CDs, or external hard drives) that contains diagnostic or test programs for malicious code before using them on systems. This ensures that no malware or unauthorized software is introduced into the organization's environment, which could compromise security or disrupt operations. For example, if a technician uses a USB drive to run a diagnostic tool on a server, the drive must first be scanned for viruses or other malicious code. This is critical because malware can spread quickly across networks, leading to data breaches or system downtime. Think of it as 'washing your hands before touching sensitive equipment'βitβs a simple step that prevents potential harm.
π― Why It Matters
Failing to scan media for malicious code can result in malware infections, data breaches, and operational disruptions. For instance, the 2017 NotPetya ransomware attack spread through compromised software updates, causing billions of dollars in damage globally. In a defense contracting context, introducing malware through unchecked media could expose Controlled Unclassified Information (CUI) or disrupt mission-critical systems. The DoD emphasizes this control because even unintentional lapses can compromise national security. The potential impact includes financial losses, reputational damage, and loss of contracts due to non-compliance.
β How to Implement
- 1. Use cloud-native antivirus or endpoint protection tools (e.g., AWS Inspector, Azure Defender, or Google Cloud Security Scanner).
- 2. Configure automatic scanning for any external media connected to cloud-hosted virtual machines.
- 3. Set up alerts for any detected threats and quarantine infected files automatically.
- 4. Ensure all diagnostic tools and media are stored in secure, access-controlled cloud storage.
- 5. Train cloud administrators to manually scan media before use if automated tools are not available.
π Evidence Examples
Media Scanning Policy
Scan Logs
Training Records
Approved Diagnostic Tools List
Incident Report
π SSP Guidance
Use this guidance when writing the System Security Plan (SSP) narrative for this control.
How to Write the SSP Narrative
For MA.L2-3.7.4 ("Check media containing diagnostic and test programs for malicious code before use"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how system maintenance is controlled, including scheduling, change management, tool approval, remote maintenance security, and personnel authorization. Be specific -- name your actual products, settings, and responsible personnel.
Example SSP Narratives
"MA.L2-3.7.4 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to check media containing diagnostic and test programs for malicious code before us.... The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."
"MA.L2-3.7.4 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to check media containing diagnostic and test programs for malicious code before us.... Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."
"MA.L2-3.7.4 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."
System Boundary Considerations
- β’ Identify systems within the CUI boundary requiring maintenance
- β’ Document maintenance windows and change control process
- β’ Specify remote maintenance tools and access controls
- β’ Ensure this control covers all systems within your defined CUI boundary where check media containing diagnostic and test programs for malicious code before use applies
- β’ Document any systems where this control is not applicable and explain why
Key Documentation to Reference in SSP
- π Maintenance Policy
- π Change management records
- π Approved maintenance tool inventory
- π Remote maintenance session logs
- π Evidence artifacts specific to MA.L2-3.7.4
- π POA&M entry if control is not fully implemented
What the Assessor Looks For
The assessor will review maintenance records for proper approval workflow, verify remote maintenance uses MFA and is logged, and check that non-company maintenance personnel are supervised.
π¬ Self-Assessment Questions
Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.
Question 1: Do you have a policy requiring media to be scanned before use?
Question 2: Are all systems equipped with antivirus or endpoint protection software?
Question 3: Is media scanning configured to occur automatically?
Question 4: Are employees trained on media scanning procedures?
Question 5: Are scan logs maintained and reviewed regularly?
β οΈ Common Mistakes (What Auditors Flag)
1. Failing to scan media manually when automatic scanning is disabled.
2. Not updating antivirus software regularly.
3. Missing logs or incomplete documentation.
4. Using unapproved diagnostic tools.
5. Not training new employees on media scanning procedures.
π Parent Policy
This practice is governed by the Maintenance Policy