What does MA.L2-3.7.4 require for CMMC Level 2?

You must inspect media (external drives, tapes, USB sticks, recovery disks) used for maintenance or that will be connected to CUI systems. Scanning for malware is the primary method.

What evidence do I need for MA.L2-3.7.4?

A media inspection procedure, records showing scans performed (dates, results), or vendor certificates of clean media. Maintenance logs showing which media was used and inspected.

What's the most common failure for MA.L2-3.7.4?

No systematic scanning of media. Media gets used without verification. Or you don't document when media was scanned, so you can't prove the control is in place.

MA.L2-3.7.4

MA.L2-3.7.4: Media Inspection

Inspect media (drives, tapes, USB devices) used for maintenance or storage with diagnostic tools to detect malicious code.

Updated March 30, 2026

A USB drive from the vendor. A recovery disk brought in by IT. A backup tape being restored. These items enter your environment during maintenance. If they’re compromised, they introduce malware to your systems. Scan them. Document it. Simple.

Family Maintenance

Practice MA.L2-3.7.4

Difficulty Medium

Key evidence Inspection procedure, scan records, maintenance logs

What the assessor is actually evaluating

The assessor checks: (1) Do you have a procedure that says media gets scanned? (2) Do you actually do it? (3) Can you show recent examples? You don’t need a sophisticated scanning protocol. Antivirus scanning is acceptable. What you need is a consistent practice and documentation.

Focus on media used for or brought into maintenance. External drives, backup media, recovery disks, vendor-supplied software. If it could introduce files to your systems, it should be scanned. Media inspection complements MA.L2-3.7.2 (maintenance tools) and links to broader media protection requirements under MP.L2-3.8.1.

What a realistic SSP definition looks like

MA.L2-3.7.4 Media Inspection

All media brought into [Company] for maintenance or system operations is scanned for malicious code using [antivirus tool] before use on CUI systems. Media includes external drives, USB devices, backup tapes, recovery disks, and vendor-supplied media.

Scans are performed and documented in the maintenance log. Media is scanned on an isolated system or with tools configured to quarantine threats. Results are recorded by date and media identifier.

Vendor media arriving with certification of cleanliness may be used without re-scanning if the certificate is recent (within [30] days).

How to present your evidence

Gather these items:

Media inspection procedure (what media, when to scan, what tools, documentation)
Recent maintenance logs or work orders showing media used and scanned
Antivirus scan reports or logs from media scans (include dates and results)
List of approved media or media inventory
If applicable, vendor certifications stating media is malware-free

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q: "How do you handle media brought in for maintenance?" A: "All media gets scanned before we use it. We scan with [tool] and log the results." [Pull up procedure and recent scan logs]

Q: “Can you show me an example?" A: “[Date], we received a recovery disk from the vendor. We scanned it, it came back clean, and we used it for [system] recovery.”

Q: “What if a scan finds malware?" A: “We don’t use it. The media is quarantined and reported. We request clean media from the vendor.”

Common failures

No scanning of media. Media arrives or is used without any scan. You might have a procedure, but it's not followed. Establish the practice and document it.

No records of scans. You scan, but you don't keep logs. A month later, you can't prove media was checked. Add a line to your maintenance log or work order: "Media scanned [date] [result]."

Overscanning unrelated media. You're treating casual USB devices the same as maintenance media. Focus on media used in or brought into maintenance activities. Not everything requires scanning.

You're good here. You have a procedure for scanning media used in maintenance. Your maintenance logs show scans completed with dates and results. You can show examples from the past 6 months. Assessors confirm the practice is in place and move on.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Practical implementation

Create a simple media inspection checklist or log:

Media identifier (media name, vendor, date received)
Scan date and tool used
Scan result (clean, threat detected, etc.)
Approval or quarantine decision

For most organizations, plugging media into an antivirus-protected PC and running a full scan is sufficient. Document it.

Vendor media often comes with “certified clean” statements. You can accept these without re-scanning if they’re recent.

For high-risk media (external drives, recovery media), always scan.

If you use an MSP/MSSP

If your MSP brings media or uses media during maintenance, require them to scan it or provide scan certificates. Document this in the maintenance log. Include the requirement in the MSP contract: all media must be scanned before use on your systems.

This guide reflects CMMC Level 2 requirements as of March 2026. CMMC and NIST standards evolve. Verify current requirements with official CMMC materials and your assessor.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← MA.L2-3.7.5: Nonlocal Maintenance All Practices MA.L2-3.7.3: Equipment Sanitization →