SI.L1-b.1.xiii  

Reference: CMMC v2.13

Family: SI

Level Introduced: 1

Title: Malicious Code Protection [FCI Data]

Practice:
Provide protection from malicious code at appropriate locations within organizational information systems.

Further Discussion:
Malicious code purposely performs unauthorized activity that undermines the security of an information system. A designated location may be a network device such as a firewall or an end user’s computer.

Malicious code, which can be delivered by a range of means (e.g., email, removable media, or websites), includes the following:
• Virus – program designed to cause damage, steal information, change data, send email, show messages, or any combination of these things;
• Spyware – program designed to secretly gather information about a person’s activity;
• Trojan Horse – type of malware made to look like legitimate software and used by cyber criminals to get access to a company’s systems; and
• Ransomware – type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.

Consider use of anti-malware tools to stop or lessen the impact of malicious code.

Example
Your company’s IT team is buying new computers and wants to protect your company’s information from viruses and spyware. The computers will be used to process, store, and transmit FCI. They research anti-malware products, select an appropriate solution, and deploy antivirus software on all hosts for which satisfactory antivirus software is available [a,b].

Potential Assessment Considerations
• Are system components (e.g., workstations, servers, email gateways, mobile devices) for which malicious code protection must be provided identified and documented [a]?

Source: CMMC v2.13