Media Inspection: Scanning Diagnostic Media for CMMC Compliance
Diagnostic and test programs can introduce vulnerabilities if not properly vetted. CMMC Level 2 requires organizations to inspect all media containing diagnostic tools for malicious code before deployment. This control prevents supply chain attacks and insider threats from compromising your systems.
What this means
Media Inspection requires your organization to establish a process for scanning any removable media, installation discs, or external diagnostic tools for malicious code before they're used in your information systems. This includes vendor-supplied diagnostics, maintenance tools, and test programs that may contain backdoors, trojans, or other threats. The inspection must occur before the media touches your network or systems.
How to comply
- 1.Inventory all diagnostic and test media used across your organization
- 2.Establish a dedicated scanning environment (air-gapped or isolated system) for media inspection
- 3.Deploy updated antivirus and anti-malware tools with current threat definitions
- 4.Scan all diagnostic media before first use and after any updates or modifications
- 5.Document scanning results, including date, tool used, and outcome
- 6.Restrict access to scanning and deployment processes to authorized personnel
- 7.Maintain audit logs of all media inspection activities
- 8.Review and update your inspection procedures annually or when threats evolve
Evidence auditors look for
- Media scan logs showing antivirus/anti-malware results with timestamps
- Documented procedures for diagnostic media handling and inspection
- List of approved diagnostic tools with their last scan dates
- Change logs showing updates to threat definition files used in scanning
- Access control records limiting who can approve scanned media for use
- Incident reports documenting any malicious code detected during inspection
- Automated scan reports generated before media deployment
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates media inspection tracking by maintaining a centralized inventory of all diagnostic tools, logging scan dates and results, and alerting you when threat definitions need updates—eliminating manual spreadsheets and ensuring no diagnostic media enters your systems unvetted.
See how GRCWatch handles this control automatically
Start free trial