Back to Control Explorer



Control Acronym




CMMC Level


800-171 Control #


CMMC Description

Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.

CMMC Clarification

As part of troubleshooting a vendor may provide a diagnostic application to install on a system. The vendor is using the application to help identify the cause of issues on the system. As this is executable code there is a chance that the file is corrupt or infected with malicious code. Implement procedures to scan any files prior to installation. The same level of scrutiny must be made as with any file a staff member may download. Example You’ve recently been experiencing performance issues on one of your servers. After troubleshooting for much of the morning the vendor has asked to install a utility that will collect more data from the server. The file is stored on their FTP server. The support technician gives you the FTP site so you can anonymously download the utility file. You also ask him for a hash of the utility file. As you download the file to your local computer you realize it is compressed. While you have anti-virus on your server you don’t want to cause any issues that may further impact business operations. On your desktop you unzip the file. Once the file is unzipped you open your local anti-virus and perform a manual scan of the utility file. The scan reports no issues. To further verify the utility file has not been tampered you run an application to see that the hash from the vendor matches.

800-171 Description

Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.

800-171 Discussion

If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with incident handling policies and procedures.

Other Source Discussion


CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 MA-3(2)

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.7.4

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

MA.3.116.[a] media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15