Media Inspection
Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
What an assessor scores, the objectives
MA.L2-3.7.4 is met only when every one of these 1 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.
- a.media containing diagnostic and test programs are checked for malicious code before being used in organizational systems that process, store, or transmit CUI
How a C3PAO checks it
NIST SP 800-171A defines three assessment methods. For MA.L2-3.7.4, an assessor uses these:
System maintenance policy; procedures addressing system maintenance tools; system maintenance tools and associated documentation; maintenance records; system security plan; other relevant documents or records
Personnel with system maintenance responsibilities; personnel with information security responsibilities
Organizational process for inspecting media for malicious code; mechanisms supporting or implementing inspection of media used for maintenance
What it means, in context
If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with incident handling policies and procedures.
As part of troubleshooting , a vendor may provide a diagnostic application to install on a system. As this is executable code , there is a chance that the file is corrupt or infected with malicious code. Implement procedures to scan any files prior to installation. The same level of scrutiny must be made as with any file a staff member may download. This requirement, MA.L2-3.7.4, extends both SI.L2-3.14.2 and SI.L2-3.14.4. SI.L2-3.14.2 and SI.L2-3.14.4 require the implementation and updating of mechanisms to protect systems from malicious code, and MA.L2 -3.7.4 extends this requirement to diagnostic and testing tools. Example You have recently been experiencing performance issues on one of your servers. After troubleshooting for much of the morning , the vendor has asked to install a utility that will collect more data from the server. The file is stored on the vendor’s FTP server. The support technician gives you the FTP site so you can anonymously download the utility file. You also ask him for a hash of the utility file. As you download the file to your local computer , you realize it is compressed. You unzip the file and perform a manual antivirus scan, which reports no issues [a]. To verify the utility file has not been altered, you run an application to see that the hash from the vendor matches. Potential Assessment Considerations • Are media containing diagnostic and test programs (e.g., downloaded or copied utilities or tools from manufacturer, third -party, or in -house support teams) checked for malicious code (e.g., using antivirus or antimalware scans) before the media are used on organizational systems [a]?
What passing evidence looks like
The check step for maintenance media: diagnostic USBs and vendor tools are scanned for malware before touching CUI systems, written in the procedure with the scanning tool named.
Common ways contractors fail MA.L2-3.7.4
- !Three point requirement, one objective, easy to satisfy and easy to have never thought about. Add the scan step to the maintenance procedure and show Defender or your AV can scan removable media on insert.
The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.
Prove MA.L2-3.7.4, and the other 109
The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.
No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.
MA.L2-3.7.4 questions, answered
How many points is CMMC requirement MA.L2-3.7.4 worth?+
MA.L2-3.7.4 is worth 3 points in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 3 from your total of 110.
Can MA.L2-3.7.4 be placed on a POA&M?+
No. MA.L2-3.7.4 must be fully met before you can file. It cannot be deferred to a POA&M, so it is a gate on your assessment.
What family does MA.L2-3.7.4 belong to?+
MA.L2-3.7.4 is in the Maintenance (MA) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.
- NIST SP 800-171 Rev. 2 3.7.4