Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - MA.L2-3.7.4 – Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
Understanding the Requirement
This control requires that any media or files used for diagnostic or test purposes be inspected for malicious code before they touch systems that process, store, or transmit Controlled Unclassified Information. The objective is simple: media containing diagnostic and test programs are checked for malicious code before being used on organizational systems that handle CUI. In practice this covers vendor-provided USB drives, emailed tool binaries, and downloaded diagnostic packages — all must be verified safe before use to avoid introducing malware into production environments. This guidance aligns with the NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 expectations for protecting CUI.
Technical Implementation
-
Define an approval and scanning workflow: Create a written procedure that specifies who may accept diagnostic media, where scanning is performed, and what outcomes permit use. For SMBs, assign this to a small set of trained staff (IT administrator + security lead) rather than allowing ad-hoc acceptance by end users.
-
Designate an isolated scanning workstation: Maintain one or two hardened systems (offline or segmented from production networks) used solely for scanning third-party media and files. Configure these systems with enterprise-grade AV/EDR, up-to-date signatures, and tools to analyze suspicious files (hashing, static/dynamic analysis basics).
-
Apply multiple scanning techniques: Scan incoming media with local AV/EDR, then submit unknown or high-risk files to a secondary scanner or online multi-engine scanner (for example, VirusTotal) and compare results. Record file hashes and scan reports for audit trails.
-
Use secure transfer and integrity checks: Require vendors to deliver diagnostic tools via secure channels and to provide signed binaries or checksums. If media must be shipped physically, require write-protecting removable drives and chain-of-custody labeling until scanning is complete.
-
Harden host settings and controls: Disable autorun/autoexecute on all endpoints, block execution from removable media by default, and use application allowlisting so only approved diagnostic tools can run even after scanning.
-
Document exceptions and incident handling: If a scan returns suspicious results, have a clear escalation path — isolate the affected system, notify the security lead, and follow your incident response checklist. Keep logs of scans, approvals, and any remediation performed for compliance and lessons learned.
Example in a Small or Medium Business
A mid-sized engineering firm receives a USB drive from a hardware vendor containing firmware diagnostics after a local server exhibits hardware faults. The helpdesk receptionist does not plug the drive into the server; instead, they hand it to the IT administrator. The administrator brings the drive to the designated scanning workstation, where they run an up-to-date endpoint scanner and compute a SHA-256 hash. The file is also checked via an independent multi-engine scanner to look for signs of malware. The results return clean and the vendor-supplied binary matches the checksum provided by the vendor. Before running the tool on the production server, the administrator creates a restore point and ensures the server is isolated from the rest of the network. The diagnostic tool is executed under a limited service account with logging enabled. All steps — receipt, scans, checksum validation, and execution context — are recorded in the firm's change log. If the scan had flagged anything suspicious, the administrator would have followed the incident response playbook, notified management, and refused execution until a secure, vendor-verified alternative could be provided.
Summary
Combining a clear policy, a designated scanning process, and technical controls (isolated scanning hosts, up-to-date AV/EDR, disable autorun, allowlisting, and integrity checks) ensures diagnostic and test media are vetted before they touch systems that handle sensitive information. For SMBs, keeping the workflow simple, assigning clear responsibilities, and documenting scans and approvals provides both practical protection and the evidence needed for audits or incident response.
