CMMC Practice MA.3.116
Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems.
Bold Coast Security Guidance
For Level 1 compliance there must be a practice in place to scan diagnostic and testing software prior to use. For Level 2, a formal written policy must require the practice.
Diagnostic and security or performance testing software should be stored securely, and require some authorization to use. Dual control is a concept that can be applied. It means that no one person has the authority or ability to unilaterally check-out diagnostic and/or security software for use. At least two people must be involved in the process of using these applications, and sign-off on their use.
DRAFT NIST SP 800-171 R2
If, upon inspection of media containing maintenance diagnostic and test programs, organizations determine that the media contain malicious code, the incident is handled consistent with incident handling policies and procedures.