Are you prepared to continue to progress on your Cyber security Maturity Model Certification  (CMMC) journey? The sixth domain in the CMMC Level 1 requirements is System and Information IntegrityThe primary focus of this practice is Identify malicious content. In this post, we will build on our knowledge of the domains and practices of Level 1, with a focus on the second practice in System and Information Integrity, SI.1.211. 

 What is a CMMC Assessment? 

 A CMMC assessment is the methodology to certify that a contractor is compliant with the CMMC standard. CMMC Third Party Assessment Organizations (C3PAOs) carry out this methodology and evaluate your company’s unclassified networks. The CMMC evaluation process gives contractors guidance for a specific CMMC level (1-5); if you pass this process, the C3PAO issues the appropriate CMMC certificate. Passing a level 1 assessment, for example, confirms that you’re meeting the basic safeguarding requirements for Federal Contract Information (FCI). FCI is information not marked as public or for public release (specified in FAR Clause 52.204-21). 

What is System and Information Integrity – SI.1.211? 

Provide protection from malicious code at appropriate locations within organizational information systems. Designated locations include system entry and exit points which may include firewalls, remote access servers, workstations, electronic mail servers, web servers, proxy servers, notebook computers, and mobile devices. Malicious code includes viruses, worms, Trojan horses, and spyware. Malicious code can be encoded in various formats (e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities. Malicious code protection mechanisms include anti-virus signature definitions and reputation-based technologies. A variety of technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber-attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended. NIST SP 800-83 provides guidance on malware incident prevention. 

 What are the SI.1.211 Assessment Objectives and Objects? 

 Assessment procedures consist of an objective and a set of objects. The assessment objective includes a determination statement related to the CMMC practice content to ensure traceability of assessment results to requirements. These results determine if a practice is satisfied. Assessmentobjects specify the specific items that a C3PAO assesses (e.g., mechanisms, activities, and individuals). 

SI.1.211 assessment objectives: Designated locations for malicious code protection are identifiedProtection from malicious code at designated locations is provided. 

 SI.1.211 assessment objects:A C3PAO can assess document-based artifacts associated with your system, hardware, software, or firmware safeguards, protection-related actions supporting your system that involves people, and any other personnel related to these elements. 

 What are the Assessment Methods forSI.1.211? 

Assessment methods define the nature and extent of assessors’ actions (e.g., examining,    interviewing, and testing). They are outlined below for SI.1.211  

Examine: This method refers to reviewing, inspecting, observing, studying, or analyzing assessment objects. In regards to SI.1.211 a C3PAO may examineSystem security plan​ 

System configuration settings and associated documentation​.Record of actions initiated by  malicious code protection mechanisms in response to malicious code detection​.Scan results  from malicious code protection mechanisms​.System design documentation​.System audit  logs and records; other relevant documents or records 

Interview: This method refers to the process of holding discussions with individuals or  groups to facilitate understanding, achieve clarification, or obtain evidence. A C3PAO may System or network administrators​. Personnel with information security responsibilities. Personnel installing, configuring, and maintaining the system​.Personnel  with responsibility for malicious code protection 

Inspect: This method is the process of exercising assessment objects under specified conditions to compare actual behavior with expected behavior. All assessment objects that a C3PAO can examine for SI.1.211. Organizational processes for employing, updating, and configuring malicious code protection mechanisms. Organizational process for addressing false positives and resulting potential impact​ 

How Do I know if I’m Complying to the SI.1.211 Practice? 

System and Information Integrity is a domain that builds upon the concepts of Access Control, and establishes some more specifics that require attention. You may already have made progress and set measures in place to ensure that you are working towards complying with this practice and its requirements, but you might be wary of what C3PAO’s might assess and how you would stand in an assessment. If this is the case, taking a free CMMC self-assessment can help you gauge where you are in the CMMC compliance process for this domain. Taking this next step can help you better you’re standing towards compliance, and take you one step closer in achieving CMMC Level 1 certification.