NIST Special Publication 800-171 Revision 2

Date Published: January 28th, 2021

Withdrawn on May 14, 2024. Superseded by SP 800-171 Rev. 3

Author(s): Ron Ross (NIST), Victoria Pillitteri (NIST), Kelley Dempsey (NIST), Mark Riddle (NARA), Gary Guissanie (IDA)

Note: A Class Deviation is in effect as of May 2, 2024 (DEVIATION 2024O0013). The deviation clause requires contractors, who are subject to 252.204-7012, to comply with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 2, instead of the version of NIST SP 800-171 in effect at the time the solicitation is issued or as authorized by the contracting officer. Click Here

3.7.4 Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.

Control Family: Maintenance

Control Type: Basic

SPRS Value: 3

SPRS Supplemental Guidance: N/A

CMMC Level(s): MA.L2-3.7.1

Top Ten Failed Requirement: No

Referenced in:

DFARS 252.204-7012

Derived From: NIST SP 800-53r4

  • MA-3(2)

NIST Supplemental Guidance:

N/A

Discussion:

If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with incident handling policies and procedures.

Upon assessment, assessors must determine if-

Determine if media containing diagnostic and test programs are checked for malicious
code before being used in organizational systems that process, store, or transmit CUI.

Assessors are instructed to-

Examine: [SELECT FROM: System maintenance policy; procedures addressing system maintenance tools; system maintenance tools and associated documentation; maintenance records; system security plan; other relevant documents or records].

Interview: [SELECT FROM: Personnel with system maintenance responsibilities; personnel with information security responsibilities].

Test: [SELECT FROM: Organizational process for inspecting media for malicious code; mechanisms supporting or implementing inspection of media used for maintenance].

FURTHER DISCUSSION

As part of troubleshooting, a vendor may provide a diagnostic application to install on a system. As this is executable code, there is a chance that the file is corrupt or infected with malicious code. Implement procedures to scan any files prior to installation. The same level of scrutiny must be made as with any file a staff member may download. This requirement, MA.L2-3.7.4, extends both SI.L2-3.14.2 and SI.L2-3.14.4. SI.L2-3.14.2 and SI.L2-3.14.4 require the implementation and updating of mechanisms to protect systems from malicious code, and MA.L2-3.7.4 extends this requirement to diagnostic and testing tools.

Example

You have recently been experiencing performance issues on one of your servers. After troubleshooting for much of the morning, the vendor has asked to install a utility that will collect more data from the server. The file is stored on the vendor’s FTP server. The support technician gives you the FTP site so you can anonymously download the utility file. You also ask him for a hash of the utility file. As you download the file to your local computer, you realize it is compressed. You unzip the file and perform a manual antivirus scan, which reports no issues [a]. To verify the utility file has not been altered, you run an application to see that the hash from the vendor matches.

Potential Assessment Considerations

  • Are media containing diagnostic and test programs (e.g., downloaded or copied utilities or tools from manufacturer, third-party, or in-house support teams) checked for malicious code (e.g., using antivirus or antimalware scans) before the media are used on organizational systems [a]?