Reference: CMMC v2.13
Family: SI
Level Introduced: 2
Title: Malicious Code Protection [CUI Data]
Practice:
Provide protection from malicious code at designated locations within organizational systems.
Further Discussion:
A designated location may be a network device such as a firewall or an end user’s computer.
Malicious code, which can be delivered by a range of means (e.g., email, removable media, or websites), includes the following:
• virus – program designed to damage, steal information, change data, send email, show messages, or any combination of these things;
• spyware – program designed to gather information about a person’s activity in secret when they click on a link, usually installed without the person knowing ;
• trojan horse – type of malware made to look like legitimate software and used by cyber criminals to get access to a company’s systems; and
• ransomware – type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.
Use anti-malware tools to stop or lessen the impact of malicious code.
Example
You are buying a new computer and want to protect your company’s information from viruses, spyware, etc. You buy and install anti-malware software [a,b].
Potential Assessment Considerations
• Are system components (e.g., workstations, servers, email gateways, mobile devices) for which malicious code protection must be provided identified and documented [a]?
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
800-171 Requirements v2 (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.