Skip to content
CMMC 2.13
CMMC · Rev 2.132FAMILY SI

SI.L2-3.14.2

Malicious Code Protection [CUI Data]

Requirement

Provide protection from malicious code at designated locations within organizational systems.

Further discussion

A designated location may be a network device such as a firewall or an end user’s computer. Malicious code, which can be delivered by a range of means (e.g., email, removable media, or websites), includes the following: • virus – program designed to damage, steal information, change data, send email, show messages, or any combination of these things; • spyware – program designed to gather information about a person’s activity in secret when they click on a link, usually installed without the person knowing ; • trojan horse – type of malware made to look like legitimate software and used by cyber criminals to get access to a company’s systems; and • ransomware – type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid. Use anti-malware tools to stop or lessen the impact of malicious code. Example You are buying a new computer and want to protect your company’s information from viruses, spyware, etc. You buy and install anti-malware software [a,b]. Potential Assessment Considerations • Are system components (e.g., workstations, servers, email gateways, mobile devices) for which malicious code protection must be provided identified and documented [a]?

Supporting controls

NIST 800-171 · Rev 21 mapped

Create a free account or log in to view the cross-referenced controls.

Implementation strategies

10 recommended strategies for this practice.

Create a free account or log in to view the implementation strategies.

Source: DoD CIO · https://dodcio.defense.gov/CMMC/