Provide protection from malicious code at designated locations
📖 What This Means
This control requires organizations to implement measures that protect systems from malicious software (malware) at specific locations where it is most critical. This means ensuring that antivirus or anti-malware software is installed, configured correctly, and kept up to date on all designated systems. It also involves regularly scanning these systems for malicious code and taking action if any is detected. For example, a defense contractor might install antivirus software on all computers used to handle Controlled Unclassified Information (CUI) and configure it to update virus definitions daily. Another example is implementing endpoint detection and response (EDR) tools on servers that process sensitive data.
🎯 Why It Matters
Malicious code, such as viruses, ransomware, and spyware, can compromise sensitive data, disrupt operations, and lead to costly breaches. For instance, the 2017 WannaCry ransomware attack affected hundreds of thousands of systems globally, causing billions in damages. In the context of defense contractors, a malware infection could expose CUI, leading to national security risks and severe penalties. The DoD emphasizes this control to ensure that contractors safeguard sensitive information and maintain operational integrity. Without proper protection, organizations risk data loss, financial penalties, and damage to their reputation.
✅ How to Implement
- Enable built-in malware protection services like AWS GuardDuty or Azure Defender.
- Configure automated virus definition updates for all cloud-hosted virtual machines.
- Install endpoint protection software on cloud-based endpoints.
- Set up regular automated scans for malicious code on cloud storage buckets.
- Use cloud-native tools like AWS Inspector or Azure Security Center to monitor for malware activity.
- Ensure all cloud workloads are covered by anti-malware policies.
- Log and review malware detection alerts in cloud monitoring tools.
📋 Evidence Examples
Antivirus installation records
Virus definition update logs
Scan reports
Policy document
Training records
📝 SSP Guidance
Use this guidance when writing the System Security Plan (SSP) narrative for this control.
How to Write the SSP Narrative
For SI.L1-3.14.2 ("Provide protection from malicious code at designated locations"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe your system and information integrity controls, including patch management process, antivirus/EDR deployment, email gateway protection, SIEM monitoring, and application security measures. Be specific -- name your actual products, settings, and responsible personnel.
Example SSP Narratives
"SI.L1-3.14.2 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to provide protection from malicious code at designated locations. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."
"SI.L1-3.14.2 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to provide protection from malicious code at designated locations. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."
"SI.L1-3.14.2 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."
System Boundary Considerations
- • Identify all systems requiring patch management within the CUI boundary
- • Document EDR/AV coverage across endpoints and servers
- • Specify SIEM monitoring coverage and alert rules
- • Ensure this control covers all systems within your defined CUI boundary where provide protection from malicious code at designated locations applies
- • Document any systems where this control is not applicable and explain why
Key Documentation to Reference in SSP
- 📄 System and Information Integrity Policy
- 📄 Patch management reports
- 📄 AV/EDR deployment records
- 📄 SIEM alert configuration
- 📄 Evidence artifacts specific to SI.L1-3.14.2
- 📄 POA&M entry if control is not fully implemented
What the Assessor Looks For
The assessor will verify patch management SLAs are met, check AV/EDR deployment coverage (should be 100%), review SIEM alert rules and response times, and test that email gateway blocks malicious content.
💬 Self-Assessment Questions
Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.
Question 1: Is antivirus software installed on all designated systems?
Question 2: Is the antivirus software configured to update virus definitions automatically?
Question 3: Are regular full system scans scheduled and performed?
Question 4: Are malware detection logs reviewed regularly?
Question 5: Is there a documented anti-malware policy?
⚠️ Common Mistakes (What Auditors Flag)
1. Not updating virus definitions regularly
2. Missing antivirus installation on some systems
3. Failing to document scans and detections
4. Not training employees on malware prevention
5. Using outdated antivirus software
📚 Parent Policy
This practice is governed by the System and Information Integrity Policy