MA.L2-3.7.4 — Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
What this control requires
Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
Source: CMMC L2 v2.13 MA.L2-3.7.4 / NIST SP 800-171 R2 3.7.4 (official control text).
Why this matters
Diagnostic and test programs often run with elevated privileges and deep system access, making infected media a high-value attack vector. Malicious code embedded in vendor tools, firmware updates, or bootable diagnostics can bypass perimeter defenses and establish persistent footholds. This control prevents technicians from inadvertently introducing malware during routine maintenance activities. Organizations that skip media scanning before use risk supply chain compromises, ransomware deployment via USB drives, or rootkit installation through compromised vendor utilities. The requirement protects the integrity of systems during their most vulnerable state—when administrators are troubleshooting with direct hardware access.
What evidence assessors expect
Assessors typically look for: photo, screenshot, CSV export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on MA.L2-3.7.4.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →