CMMC 2.13
CMMC · Rev 2.132FAMILY SI
SI.L2-3.14.2
Malicious Code Protection [CUI Data]
Requirement
Provide protection from malicious code at designated locations within organizational systems.
Further discussion
A designated location may be a network device such as a firewall or an end user’s computer.
Malicious code, which can be delivered by a range of means (e.g., email, removable media, or websites), includes the following:
• virus – program designed to damage, steal information, change data, send email, show messages, or any combination of these things;
• spyware – program designed to gather information about a person’s activity in secret when they click on a link, usually installed without the person knowing ;
• trojan horse – type of malware made to look like legitimate software and used by cyber criminals to get access to a company’s systems; and
• ransomware – type of malware that threatens to publish the victim’s data or perpetually block access to it unless a ransom is paid.
Use anti-malware tools to stop or lessen the impact of malicious code.
Example
You are buying a new computer and want to protect your company’s information from viruses, spyware, etc. You buy and install anti-malware software [a,b].
Potential Assessment Considerations
• Are system components (e.g., workstations, servers, email gateways, mobile devices) for which malicious code protection must be provided identified and documented [a]?
Supporting controls
NIST 800-171 · Rev 21 mapped
Create a free account or log in to view the cross-referenced controls.
Implementation strategies
10 recommended strategies for this practice.
Create a free account or log in to view the implementation strategies.
Source: DoD CIO · https://dodcio.defense.gov/CMMC/