>myctrl.tools
Preferences
Under active development Content is continuously updated and improved
Compare

3.7.4Maintenance - Derived

Derived Requirement

>Control Description

Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.

>Discussion

If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with incident handling policies and procedures.

>Cross-Framework Mappings

CMMC

MA.L2-3.7.4
Compare

SCF

MNT-04.2
Compare

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What policies govern media sanitization?
  • What procedures define sanitization methods by media type?
  • Who performs and verifies media sanitization?
  • How do you handle media that cannot be sanitized?
  • What governance ensures proper media disposal?

Technical Implementation:

  • What sanitization methods do you use (wiping, degaussing, destruction)?
  • How do you verify successful media sanitization?
  • What tools perform data wiping or overwriting?
  • How do you track media through sanitization process?
  • What controls prevent unsanitized media from leaving custody?

Evidence & Documentation:

  • Can you provide media sanitization procedures?
  • What certificates of destruction exist for sanitized media?
  • Can you demonstrate sanitization verification methods?
  • What logs track media sanitization activities?
  • What audit evidence proves media sanitization compliance?

Ask AI

Configure your API key to use AI features.