This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization checks media containing diagnostic and test programs for malicious code before the media are used in the information system.
NIST 800-53 (r4) Supplemental Guidance:
If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with organizational incident handling policies and procedures. Related control: SI-3.
References: NIST Special Publication 800-88.
NIST 800-53 (r5) Discussion:
If, upon inspection of media containing maintenance, diagnostic, and test programs, organizations determine that the media contains malicious code, the incident is handled consistent with organizational incident handling policies and procedures.
38North Guidance:
Meets Minimum Requirement:
There are procedures in place to check media containing diagnostic and test programs for malicious code before the media are used
There are procedures in place for handling the incident if malicious code is detected
There is evidence that shows the procedures have been consistently followed, and who is responsible for checking media
Best Practice:
TBD
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Procedures for check media containing diagnostic and test programs for malicious code before the media are used
Artifacts/evidence to show that the procedures have been followed in the past, with relevant information (e.g. determination and actions taken if a malicious code was detected)
CSP Implementation Tips:
Amazon Web Services (AWS): Fully Inherited
Microsoft Azure: Fully Inherited
Google Cloud Platform: Fully Inherited