NIST 800-171 - Sanitization of Maintenance Tools (3.7.4)

Overview:
Check media containing diagnostic and test programs for malicious code before the media are used in the information system.

Action Items:
3.7.4[a]
Determine if: media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI.

POTENTIAL ASSESSMENT METHODS AND OBJECTS

1
Examine: System maintenance policy; procedures addressing system maintenance tools; system maintenance tools and associated documentation; maintenance records; system security plan; other relevant documents or records].

2
Interview: Personnel with system maintenance responsibilities; personnel with information security responsibilities].

3
Test: Organizational process for inspecting media for malicious code; mechanisms supporting or implementing inspection of media used for maintenance].

Related Documents (document name and content will vary by organization):
1) System maintenance policy
2) procedures addressing system maintenance tools
3) system maintenance tools and associated documentation
4) maintenance records
5) system security plan
6) other relevant documents or records

Additional Guidance:
See discussion for 3.7.2.