CMMC protection from malicious code

What are Your CMMC Antivirus Requirements?

Companies with CMMC requirements will need to deploy antivirus software to their systems. Here is how to configure your antivirus software to meet your cybersecurity maturity model certification (CMMC) requirements.
Join our newsletter:

CMMC Antivirus Requirements

There are several CMMC practices that explicitly relate to using Antivirus software to protect your systems. These practices are: SI.1.211, SI.1.212, and SI.1.213.
SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems.
SI.1.212 Update malicious code protection mechanisms when new releases are available.
SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

How to Meet These CMMC Requirements

You need to install Antivirus software on your endpoints and servers (appropriate locations). You need to set your antivirus software to automatically update its signature database when an update is available.
You need to configure your antivirus to automatically run periodic scans (e.g., once a week on Fridays or daily). There is no specific requirement stating that you need to run weekly or daily scans, you are just required to run them periodically.
Your antivirus needs to be capable of automatically scanning files when they are downloaded from the internet. So when you download a file from a website using your browser, your antivirus software needs to be automatically scanned. Unknown files also need to be scanned before they are opened (e.g., a Microsoft word document) or executed (e.g., an exe file).

Additional Recommendations

If financially feasible it is recommended that you use an antivirus software that can be centrally managed. This means that you can install the antivirus software on your systems and deploy the same settings to all of them, preventing users from changing the settings. This also reduces the workload on your personnel as they don't have to configure each system manually.
Do not allow your users to change the settings on their antivirus software. They may turn off features (e.g., periodic scanning) that are important for your meeting CMMC compliance goals.
Another important tip is to avoid using non-U.S. antivirus software. The U.S. government has already cracked down on several including Kaspersky.
 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

NIST SP 800-171 & CMMC Compliance App

NIST SP 800-171 & CMMC Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
Learn More
HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
Learn More
FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
Learn More
ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
Learn More