NIST 800-171 • LEVEL 2 • SYSTEM AND INFORMATION INTEGRITY
3.14.2 — Malicious Code Protection
Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code. Update malicious code protection mechanisms as new releases are available in accordance with configuration management policies and procedures. Configure malicious code protection mechanisms to: Perform scans of the system {{ insert: param, A.03.14.02.ODP.01 }} and real-time scans of files from external sources at endpoints or system entry and exit points as the files are downloaded, opened, or executed; and Block malicious code, quarantine malicious code, or take other mitigation actions in response to malicious code detection.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- malicious code protection mechanisms are implemented at system entry and exit points to detect malicious code.
- malicious code protection mechanisms are implemented at system entry and exit points to eradicate malicious code.
- malicious code protection mechanisms are updated as new releases are available in accordance with configuration management policy and procedures.
- malicious code protection mechanisms are configured to perform scans of the system {{ insert: param, A.03.14.02.ODP.01 }}.
- malicious code protection mechanisms are configured to block malicious code, quarantine malicious code, or take other actions in response to malicious code detection.
- malicious code protection mechanisms are configured to perform real-time scans of files from external sources at endpoints or system entry and exit points as the files are downloaded, opened, or executed.
Practitioner Notes
You need antivirus/anti-malware protection on every system that can host malicious code, and it needs to be active at the points where data enters and leaves your network -- email gateways, web proxies, and endpoints.
Example 1: Deploy Microsoft Defender for Endpoint across all workstations and servers. In the Microsoft 365 Defender portal > Settings > Endpoints > Advanced features, enable real-time protection, cloud-delivered protection, and automatic sample submission. Configure the scan schedule under Endpoint security > Antivirus > Microsoft Defender Antivirus policy to run a weekly full scan and continuous real-time monitoring.
Example 2: For email-based threats, enable Microsoft Defender for Office 365 in the M365 security center. Configure Safe Attachments policies to detonate attachments in a sandbox before delivery, and Safe Links policies to rewrite and check URLs at time of click. These catch malware at the email gateway before it reaches user endpoints.