NIST 800-53 REV 5 • MAINTENANCE

MA-3(2)Inspect Media

Check media containing diagnostic and test programs for malicious code before the media are used in the system.

CMMC Practice Mapping

NIST 800-171 Mapping

Related Controls

Supplemental Guidance

If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations determine that the media contains malicious code, the incident is handled consistent with organizational incident handling policies and procedures.

Practitioner Notes

Diagnostic or test media — like bootable USB drives or CDs used for troubleshooting — need to be scanned for malicious code before you plug them into any system.

Example 1: Before using any external media for maintenance, scan it with your endpoint protection tool (Microsoft Defender, CrowdStrike, SentinelOne). Create a dedicated scanning workstation that is isolated from your production network specifically for inspecting incoming media.

Example 2: Establish a policy that all maintenance media must be scanned at a quarantine workstation before use. Log each scan in a media inspection register (date, media description, scan tool used, results, inspector name). Reject any media that fails the scan.

More Maintenance Controls

MA-1 Policy and Procedures MA-2 Controlled Maintenance MA-2(1) Record Content MA-2(2) Automated Maintenance Activities