Skip to main content
NetStable
7 Practices NIST 3.14.1 - 3.14.7

System and Information Integrity Policy

System and Information Integrity Domain (SI)

Overview Why It Matters Requirements Roles Implementation CMMC Mapping Evidence Common Gaps Template Guide

📖 What This Policy Covers

System and Information Integrity ensures your systems stay healthy and uncompromised. This policy covers patch management (getting security fixes applied quickly), malicious code protection (antivirus, EDR, email gateway), security alert monitoring (staying aware of new threats), continuous system monitoring (SIEM, SOC operations), spam protection, input validation for web applications, and secure error handling. Think of it as the immune system for your IT environment.

Purpose

This policy ensures system flaws are identified and remediated promptly, malicious code is detected and prevented, security alerts and advisories are monitored, system activity is continuously monitored, and application inputs are validated to prevent exploitation.

Scope

Applies to all endpoints, servers, network devices, applications, and cloud resources processing or storing CUI. Covers patch management, antivirus/EDR, email security, web filtering, SIEM monitoring, and application security.

🎯 Why It Matters

Unpatched vulnerabilities are the #2 attack vector after stolen credentials. The average time to patch a critical vulnerability is 60 days, but attackers exploit them within hours of disclosure. Without malicious code protection, a single phishing email can compromise your entire network. This domain ensures you can detect, prevent, and respond to threats before they impact CUI.

🔐 Key Requirements

1. Flaw Remediation (Patch Management)

SI.L1-3.14.1

Timely identification and remediation of system flaws through structured patch management.

  • Patch SLAs: Critical within 7 days, High within 30 days, Medium within 90 days
  • Zero-day vulnerabilities patched within 72 hours
  • Weekly authenticated vulnerability scans
  • Test patches in non-production before deploying to CUI systems
  • Emergency patch process for critical zero-days

2. Malicious Code Protection

SI.L1-3.14.2 SI.L1-3.14.3 SI.L2-3.14.4

Comprehensive protection against malware, viruses, and other malicious code.

  • Antivirus/EDR deployed on all endpoints and servers (CrowdStrike, Defender ATP, Carbon Black)
  • Real-time protection enabled with signatures updated daily
  • Email gateway with spam/malware filtering (Proofpoint, Mimecast)
  • Web filtering to block malicious sites (Zscaler, Cisco Umbrella)
  • Malware quarantined automatically with alerts to IT Security
  • Subscribe to vendor security bulletins and CISA alerts, review weekly

3. Security Alerts & Advisories

SI.L2-3.14.4

Monitor threat intelligence and vendor alerts for emerging threats.

  • Threat intelligence feeds: commercial (CrowdStrike, Recorded Future) + free (CISA, vendor bulletins)
  • Daily review during business hours
  • Assess applicability to organization's systems
  • Implement mitigations within defined SLAs

4. System Monitoring

SI.L2-3.14.6 SI.L2-3.14.7

Centralized monitoring and alerting via SIEM with defined response SLAs.

  • Centralized SIEM (Splunk, Azure Sentinel) with 24/7 monitoring
  • Monitored events: auth failures, privilege escalation, malware, config changes, CUI access
  • Response SLAs: Critical within 1 hour, High within 4 hours
  • SOC on-call rotation for off-hours coverage

5. Spam Protection

SI.L2-3.14.5

Email gateway protection and user awareness for phishing prevention.

  • Email gateway with machine learning-based spam filtering
  • Phishing report button in email client (Outlook plugin)
  • Annual phishing awareness training
  • Phishing simulations quarterly

6. Input Validation & Error Handling

SI.L2-3.14.4 SI.L2-3.14.7

Application-level protections against injection attacks and information leakage.

  • Web applications: input validation for SQL injection, XSS, command injection prevention
  • APIs: schema validation and rate limiting
  • File uploads: malware scanning and file type restrictions
  • Error messages sanitized (no stack traces or database errors exposed to users)
  • Errors logged for troubleshooting with sensitive data redacted

👥 Roles & Responsibilities

CISO / IT Director

  • Approve patch management SLAs and exceptions
  • Review security monitoring metrics monthly
  • Ensure threat intelligence is actionable

IT Operations

  • Deploy patches within SLAs
  • Maintain antivirus/EDR across all systems
  • Manage email gateway and web filtering

IT Security / SOC

  • Monitor SIEM alerts 24/7
  • Review threat intelligence feeds daily
  • Investigate security alerts within defined SLAs
  • Conduct vulnerability scans

Developers

  • Implement input validation in applications
  • Follow secure coding practices (OWASP Top 10)
  • Sanitize error messages in production

🛠️ Implementation Roadmap (8 Weeks)

1

Patch Management

Weeks 1-2
  • Deploy patch management system (WSUS, SCCM, Intune)
  • Conduct baseline vulnerability scans
  • Establish remediation workflows and SLAs
2

Endpoint Protection

Weeks 3-4
  • Deploy/upgrade EDR to all endpoints and servers
  • Configure SIEM alerts for malware detections
  • Verify real-time protection and daily signature updates
3

Email & Web Security

Weeks 5-6
  • Implement/upgrade email gateway
  • Configure spam/phishing protection rules
  • Deploy web filtering solution
4

Application Security & Testing

Weeks 7-8
  • Review input validation on web applications
  • Deploy phishing report button in Outlook
  • Conduct first phishing simulation
  • Document all procedures and train team

Recommended Tools

WSUS / SCCM / Intune (patch management)CrowdStrike / Microsoft Defender ATP / Carbon Black (EDR)Proofpoint / Mimecast / Microsoft Defender for Office 365 (email)Zscaler / Cisco Umbrella (web filtering)Splunk / Azure Sentinel (SIEM)Nessus / Qualys (vulnerability scanning)

📊 CMMC Practice Mapping

Practice ID Requirement Policy Section
SI.L1-3.14.1 Identify/remediate flaws 1
SI.L1-3.14.2 Protect from malicious code 2
SI.L1-3.14.3 Monitor system security alerts 2, 3
SI.L2-3.14.4 Update malicious code protection 2, 3
SI.L2-3.14.5 Perform periodic scans 1, 5
SI.L2-3.14.6 Monitor organizational systems 4
SI.L2-3.14.7 Identify unauthorized use 4, 6

📋 Evidence Requirements

These are the artifacts a C3PAO assessor will ask for. Start collecting early.

Patch Management Report

Format: PDF/Excel
Frequency: Monthly
Contents: % patched by severity level for last 90 days, average time-to-patch by severity
Tip: Show compliance with SLAs. Highlight any overdue patches with remediation plans.

AV/EDR Dashboard Screenshot

Format: PNG/PDF
Frequency: Monthly
Contents: Dashboard showing deployment coverage, malware detections, quarantine actions
Tip: Show 100% endpoint coverage. Include detection and response examples.

Vulnerability Scan Reports

Format: PDF
Frequency: Quarterly
Contents: Last 4 quarters of scan results with remediation tracking
Tip: Show trending -- vulnerability counts should decrease over time as you remediate.

SIEM Alert Summary

Format: PDF/Excel
Frequency: Monthly
Contents: Alert types, volumes, response times, false positive rates
Tip: Demonstrate that alerts are being triaged and responded to within SLAs.

Phishing Simulation Results

Format: PDF
Frequency: Quarterly
Contents: Click rates, report rates, trends over time, remedial training completion
Tip: Show improvement: click rates should decrease, report rates should increase over time.

⚠️ Common Gaps (What Assessors Flag)

1. Patches not applied within SLA

Why this happens: Fear of breaking production systems, lack of test environment, or understaffed IT team.
How to close the gap: Establish a test environment (even a single VM). Prioritize CUI systems. Automate patching for workstations. Document risk acceptance for any delayed patches.

2. AV/EDR not deployed on all systems

Why this happens: Linux servers, legacy systems, or IoT devices were missed during deployment.
How to close the gap: Audit all systems. Deploy EDR agents to missing systems. For systems that can't run agents, implement compensating controls (network monitoring, log forwarding).

3. No email gateway protection

Why this happens: Using basic email service without advanced threat protection.
How to close the gap: Enable Microsoft Defender for Office 365 (included in many M365 plans) or deploy a dedicated email gateway (Proofpoint, Mimecast).

4. SIEM alerts not reviewed

Why this happens: Alert fatigue from too many false positives. No dedicated SOC staff.
How to close the gap: Tune alert rules to reduce noise. Assign specific reviewers. If no 24/7 SOC, use automated alerting (PagerDuty) for critical alerts and review others during business hours.

📝 Template Customization Guide

When filling in the downloadable template for this policy, replace these placeholders with your organization's specifics:

[COMPANY NAME]

Your organization's legal name

Example: Acme Defense Systems, LLC

[CISO Name]

Name of your CISO

Example: Jane Smith

Customization Tips

  • 💡 Adjust patch SLAs based on your team capacity, but document any deviations from the recommended timelines
  • 💡 If you can't afford a commercial EDR, document the use of built-in tools (Windows Defender) with enhanced configuration
  • 💡 For small organizations without 24/7 SOC, document automated alerting as your off-hours monitoring strategy
  • 💡 List your specific AV/EDR product and version to demonstrate it's current and supported

📚 Related Policies

Audit and Accountability Policy Configuration Management Policy Incident Response Policy Risk Assessment Policy
Previous
SC Policy
All Policies
Last Policy