3.7.4 — Scan Maintenance Media

The One-Liner

A vendor’s USB drive could carry malware. Scan it before it touches your CUI systems.

What It Says

Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.

What It Actually Means

Any media — USB drives, downloaded diagnostic tools, vendor-provided software — must be scanned for malware before connecting to or running on CUI systems. This applies to both internal and vendor-supplied media. The scan must use current AV/EDR signatures.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Is maintenance media scanned for malicious code before use?	Procedure documented; scan records showing media checked before connecting to CUI systems

---

What to Have Ready on Assessment Day

Documents they’ll review: Maintenance policy; procedures for scanning maintenance media; scan records showing clean results before CUI system use; hash verification records for vendor tools; system security plan

People they’ll talk to: Maintenance personnel; information security personnel

Live demos they’ll ask for: “Show me how you scan vendor media before use.” “Where do you scan — on the CUI system or a separate station?”

---

The Assessor’s Playbook

• “How do you scan maintenance media before use? Show me the procedure.”
• “Do you verify file hashes for vendor-provided tools?”
• “Are scan signatures current when you scan maintenance media?”

Real-World Example

A defense contractor maintains a standalone scanning workstation (not connected to CUI systems) with current Defender signatures. When a vendor provides a USB drive or downloadable diagnostic, the file is first scanned on this workstation. Hash values are verified against the vendor’s published checksums. Only after the scan shows clean and the hash matches is the tool transferred to the CUI system. The scan is logged in the maintenance ticket.

---

Where Companies Trip Up

No scanning. Media plugged directly into CUI systems without scanning. Always scan first — preferably on an isolated workstation.

Vendor media trusted implicitly. “It’s from our vendor so it’s safe.” Trust but verify — scan everything regardless of source.

Outdated scan signatures. Scanning with week-old definitions defeats the purpose. Update signatures before each scan session.

---

How to Talk About This

To a CEO or Board

All maintenance media is scanned for malware on an isolated workstation before touching our CUI systems. We verify vendor tools against published checksums.

To an Engineering Team

Isolated scanning workstation with current Defender. Vendor media: scan + hash verify before transfer to CUI systems. Downloaded tools: verify source, scan, check hash. Scan logged in maintenance ticket.

---

Connected Requirements

Requirement	Why it matters here
3.7.2 — Control Maintenance Tools	Media scanning is part of the broader maintenance tool control
3.14.2 — Deploy Anti-Malware	The AV/EDR used for scanning maintenance media
3.14.5 — Scan Regularly	Real-time scanning for files from external sources

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: MA.L2-3.7.4 | SPRS Weight: 3 points | POA&M Eligible: No