CMMC Practice MA.L2-3.7.4 – Media Inspection: Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
Links to Publicly Available Resources
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2. This is a sample removable storage policy for the Colorado Department of Education. How to Write & Enforce a Removable Media Policy Removable Media Policy is the policy for removable media (such as CD-ROM, USB flash drive, floppy disk, etc.) on your campus computer. It is included in the campus Technology Use and Security Policies. When plugged in, these small devices can pose a major risk for industrials. This article provides an overview of removable media including the risks associated with this technology and how to implement a control policy. McAfee Total Protection to reduce the attack surface Microsoft Defender for Endpoint device control protects against data loss by monitoring and controlling media use by devices in your organization, such as using removable storage devices and USB drives. With the device control report, you can view events that relate to media usage. Such events include: Audit events and Policy events NIST resources that defines requirements for review, assessment, and approval of system maintenance tools NIST resource that defines the requirements for malicious code protection. The USBGuard software framework provides system protection against intrusive USB devices by implementing basic whitelisting and blacklisting capabilities based on device attributes. This sample policy provided by SANS discusses removable media. This SANS whitepaper discusses a holistic approach to USB port-security. This article provides an overview of the risks associated with removable media for industrial facilities based on a 2018 Honeywell report. This paper focuses on the risks associated with simple media devices and smart media devices.
Discussion [NIST SP 800-171 R2]
If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with incident handling policies and procedures.
Further Discussion
As part of troubleshooting, a vendor may provide a diagnostic application to install on a system. As this is executable code, there is a chance that the file is corrupt or infected with malicious code. Implement procedures to scan any files prior to installation. The same level of scrutiny must be made as with any file a staff member may download.
This practice, MA.L2-3.7.4, extends both SI.L1-3.14.2 and SI.L1-3.14.4. SI.L1-3.14.2 and SI.L1-3.14.4 require the implementation and updating of mechanisms to protect systems from malicious code, and MA.L2-3.7.4 extends this requirement to diagnostic and testing tools.