Maintenance 3.7.4 (3.7.4)

Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.

Get Full Guidance

What Is This CMMC Control?

Before using any USB drives, CDs, external hard drives, or other media containing maintenance, diagnostic, or test programs on your systems, you must scan them for viruses and malware. This prevents infected tools from compromising your network during routine maintenance activities.

Control Intent

Prevent the introduction of malicious code into organizational systems through maintenance and diagnostic media that could compromise system integrity, confidentiality, or availability of CUI.

Who This Control Applies To

  • Organizations that use physical media (USB drives, CDs, DVDs, external drives) for system maintenance
  • Systems where vendors or technicians bring diagnostic tools on removable media
  • Environments where maintenance personnel use portable diagnostic equipment
  • Organizations that maintain libraries of diagnostic and test software on removable media
  • Systems requiring offline or air-gapped maintenance procedures using physical media

Not Applicable When

  • Organization exclusively uses cloud-based or network-delivered diagnostic tools with no physical media
  • All maintenance is performed remotely without any media transfer
  • Organization has no systems requiring diagnostic or test programs
  • Maintenance is performed exclusively by cloud service providers with no customer-side media usage

Key Objectives

  • 1Verify that all media containing diagnostic and test programs are scanned for malicious code before use in systems processing CUI
  • 2Establish procedures to handle incidents when malicious code is discovered on maintenance media
  • 3Prevent malware introduction through trusted maintenance tools and vendor-provided diagnostic software

Sample Self-Assessment Questions (Partial)

Do your IT staff, vendors, or technicians ever use USB drives, CDs, or external hard drives to run diagnostic or maintenance programs on your systems?

What types of physical media do maintenance personnel bring into your environment?

Implementation Approaches (High-Level)

Dedicated Media Scanning Workstation

A standalone, isolated workstation used exclusively for scanning all maintenance media before allowing connection to production systems

Endpoint Protection with Removable Media Scanning

Enterprise endpoint protection software configured to automatically scan all removable media upon insertion, blocking execution until scan completes

Vendor-Managed Media Validation

Requiring vendors to provide media validation certificates or using vendor-supplied checksums to verify media integrity before use

Digital-Only Maintenance Tools Policy

Eliminating physical media by requiring all diagnostic and maintenance tools to be downloaded from verified sources and scanned before use

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If no media scanning process exists, prioritize implementing a dedicated scanning workstation or endpoint protection with removable media scanning as an immediate compensating control Document current state including types of media used, frequency of use, and current scanning practices (if any) Establish interim procedure requiring manual scanning of all media using updated anti-malware software until automated solution is implemented Set milestone for deploying technical controls (dedicated workstation or endpoint protection) within 90 days Include training milestone to ensure all maintenance personnel understand new procedures Plan for logging and audit trail implementation to support ongoing compliance verification If vendor media is commonly used, prioritize establishing vendor validation requirements in contracts Consider long-term strategy to eliminate physical media where feasible, reducing ongoing compliance burden

Related CMMC Controls

3.14.23.14.33.14.53.7.13.7.23.7.33.7.53.6.13.6.23.3.1

Frequently Asked Questions

Does this control apply if we only download diagnostic tools from the internet instead of using physical media?

If you download diagnostic tools to removable media (USB drives, external drives) before using them on systems, then yes, that media must be scanned. However, if tools are downloaded directly to the target system or to a network location without using removable media as an intermediary, this specific control may not apply, though malware scanning requirements from 3.14.x controls would still apply to the downloaded files.

Do we need to scan vendor-provided diagnostic media even if the vendor says it's clean?

Yes. You must independently verify that media is free of malicious code regardless of vendor assurances. Vendor-provided media has been a common vector for malware introduction in real-world incidents. You should scan all media, including vendor-provided tools, before use on your systems.

What should we do if we find malicious code on maintenance media during scanning?

Follow your incident response procedures (controls 3.6.1 and 3.6.2). Do not use the infected media on any systems. Document the incident, notify the media source (vendor or employee), and determine if any systems may have been exposed before the malware was detected. Investigate whether the infection was targeted or accidental.

Can we use the same anti-malware software that's on our regular computers to scan maintenance media?

Yes, as long as the anti-malware software is updated with current definitions before scanning and the scanning process is documented and logged. However, using a dedicated scanning workstation isolated from your production network provides better security by preventing potential infection of production systems during the scanning process.

How often do we need to scan the same piece of maintenance media?

You must scan media each time before it is used on organizational systems, even if it was previously scanned. Media can become infected between uses, especially if used on multiple systems or taken off-site. The control requires checking media before use, not just once when first acquired.

What if we need to perform emergency maintenance and don't have time to scan the media first?

Emergency situations do not exempt you from security requirements. If you must proceed without scanning, document the emergency, implement compensating controls (such as network isolation during maintenance), scan the media as soon as possible, and monitor the system for signs of compromise after maintenance. Include this scenario in your incident response and risk management procedures.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.