CMMC v2.11 Practices

SI.L2-3.14.2  

Reference: CMMC v2.11

Family: SI

Level Introduced: 2

Title: Malicious Code Protection [CUI Data]

Practice:
Provide protection from malicious code at designated locations within organizational systems.

Further Discussion:
A designated location may be a network device such as a firewall or an end user’s computer.

Malicious code, which can be delivered by a range of means (e.g., email, removable media, or websites), includes the following:
• virus – program designed to damage, steal information, change data, send email, show messages, or any combination of these things;
• spyware – program designed to gather information about a person’s activity in secret when they click on a link, usually installed without the person knowing ;
• trojan horse – type of malware made to look like legitimate software and used by cyber criminals to get access to a company’s systems; and
• ransomware – type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.

Use anti-malware tools to stop or lessen the impact of malicious code.

Example
You are buying a new computer and want to protect your company’s information from viruses, spyware, etc. You buy and install anti-malware software [a,b].

Potential Assessment Considerations
• Are system components (e.g., workstations, servers, email gateways, mobile devices) for which malicious code protection must be provided identified and documented [a]?

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

Source: CMMC v2.11