CCI-000870

The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.

Implementation Guidance

The organization being inspected/assessed: 1. documents and implements procedures to check all media containing diagnostic and test programs for malicious code before the media are used in the information system; and 2. Runs an automated tool set to check all media containing diagnostic and test programs for malicious code before the media are used in the information system. The organization must maintain configuration files for the automated tool set and audit logs of the tool set used to check media.

Validation Procedures

The organization conducting the inspection/assessment obtains and examines the procedures for checking all diagnostic and test media for malicious code, and a sampling of configuration files and audit logs of the tool set used to check media. The purpose of the review is to ensure the organization being inspected/assessed checks all media containing diagnostic and test programs for malicious code before the media are used in the information system.

Compelling Evidence

1.) Policy that details how test digital media is verified to be free of malicious code prior to use on an information system

The controls below (if any) were marked by NIST as being related to CCI-000870.