Media Inspection After Maintenance (NIST 800-171 3.7.4)
Maintenance activities introduce risk—diagnostic tools and test programs can harbor malicious code that compromises your systems. NIST 800-171 3.7.4 requires you to inspect all media used in maintenance workflows before deployment. This control closes a critical security gap that many SMBs overlook.
What this means
Before using any media containing diagnostic or test programs in organizational systems, you must verify the media for malicious code. This includes external drives, optical media, and vendor-supplied diagnostic tools. The inspection protects against supply-chain threats and insider risks that surface during system maintenance or troubleshooting activities.
How to comply
- 1.Catalog all diagnostic and test media used in your organization, including vendor tools and in-house utilities
- 2.Define malware scanning procedures—specify tools, frequency, and acceptable risk thresholds
- 3.Scan all media with up-to-date antivirus and endpoint detection solutions before first use
- 4.Document scan results and timestamps for each media inspection
- 5.Quarantine media until scans complete successfully
- 6.Re-scan media after extended storage or before reuse
- 7.Maintain an approved media inventory and verify source authenticity where possible
Evidence auditors look for
- Malware scan logs dated before media first-use in production systems
- Media inventory with source, date acquired, and inspection status
- Antivirus/EDR scan reports covering diagnostic tools and test programs
- Change logs showing quarantine procedures for suspicious or unverified media
- Policy documentation defining inspection frequency and scan standards
- Maintenance records linking media use to completed inspections
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates media inspection tracking by logging scans, flagging overdue re-scans, and generating audit-ready reports—eliminating manual spreadsheets and compliance gaps.
See how GRCWatch handles this control automatically
Start free trial