03.07.04 — (a) Approve, control, and monitor the use of system maintenance tools. (b) Check media with diagnostic and test programs for malicious code before it is used in the system. (c) Prevent the removal of system maintenance equipment containing CUI by verifying that there is no CUI on the equipment, sanitizing or destroying the equipment, or retaining the equipment within the facility.

What this control requires

(a) Approve, control, and monitor the use of system maintenance tools. (b) Check media with diagnostic and test programs for malicious code before it is used in the system. (c) Prevent the removal of system maintenance equipment containing CUI by verifying that there is no CUI on the equipment, sanitizing or destroying the equipment, or retaining the equipment within the facility.

Source: NIST SP 800-171 R3 §03.07.04 (official control text).

Why this matters

Maintenance tools — whether USB drives, diagnostic software, or hardware analyzers — create a privileged pathway into systems that store or process CUI. Attackers exploit these pathways through pre-infected media, backdoored utilities, or by embedding malware in legitimate repair tools. Once inside, compromised maintenance tools can exfiltrate data, install persistent access, or destroy evidence. This control enforces vetting before use, monitoring during use, and sanitization after use to prevent maintenance activities from becoming an infiltration or data leakage vector. Without these safeguards, even well-intentioned technicians can inadvertently introduce threats or walk out with sensitive information on portable equipment.

What evidence assessors expect

Assessors typically look for: PDF, CSV export, photo, screenshot. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls