What does SI.L2-3.14.2 require?

Protection from malicious code at every endpoint that handles CUI. EDR or antivirus with real-time protection enabled, current definitions, centralized management, and alerting capability.

What evidence will the assessor want to see?

EDR/antivirus console showing 100% coverage of in-scope endpoints, current signature/definition dates, alert history, real-time protection status, centralized management settings.

What's the most common failure?

EDR deployed but endpoints have fallen off management without anyone noticing. Or relying only on endpoint protection with no email gateway or DNS filtering layer.

SI.L2-3.14.2

SI.L2-3.14.2: Malicious Code Protection

Provide protection from malicious code at designated locations within organizational systems.

Every endpoint that touches controlled unclassified information (CUI) needs malware protection. The assessor wants to see that you actually have it deployed, turned on, kept current, and centrally managed. EDR (Endpoint Detection and Response) is the modern answer. Traditional antivirus still meets the requirement, but EDR gives you real-time visibility into endpoint behavior and detection/response capability that AV alone does not.

What the assessor is actually evaluating

Coverage: Every device in your CUI boundary has protection installed and active. Laptops, desktops, servers in the boundary. Not just some of them. The assessor will ask how many endpoints you have and how many have protection deployed.

Current definitions: Signatures and detection rules are current, not weeks or months old. The assessor wants to see the last update timestamp on your EDR console or antivirus management platform.

Real-time protection: Protection is running live, not scheduled for off-hours or disabled by users with local admin. The assessor will check your policy to confirm real-time scanning is enforced and users cannot turn it off.

Centralized management: You can see the status of all protected endpoints from one place. Pull up your console and show it.

Detection and response: When something is detected, you get an alert. You have a process to investigate and respond. EDR logs show what was blocked or quarantined.

Layered defense: Email gateway filtering and DNS filtering add depth, but most small contractors run the default Microsoft 365 email protection and that hasn’t been a major assessment focus. The assessor is primarily looking at your workstations and servers. Mobile devices should be managed through Intune or a similar MDM, but mobile EDR specifically hasn’t come up in assessments.

SSP example

Example SSP Language: SI.L2-3.14.2

We deploy EDR (CrowdStrike Falcon) to all endpoints within the CUI boundary, including 24 workstations, 8 laptops, and 3 servers. Real-time protection is enabled by default and users cannot disable it through local policy. Definitions and detection rules are updated at least daily via the Falcon cloud console. All endpoints report centralized status to our Falcon dashboard where we maintain a log of detections, quarantines, and remediation actions. Email gateway filtering (Proofpoint) scans inbound and outbound mail for malicious payloads and blocks or quarantines matches before delivery. Our security team reviews EDR alerts daily and escalates incidents according to our incident response plan in [link to IR procedure]. We maintain a malware detection log at least for the past 12 months.

How to present your evidence

Bring your EDR or antivirus console to the assessment. Show:

The endpoint list and verify that every in-scope device is enrolled and reporting in status. Count them. If you have 30 devices in the CUI boundary, your console should show 30 devices or you have a problem.
The status of real-time protection on at least three devices. Click into a few and show the real-time scanning status is ON.
The policy that enforces real-time protection. Show that users cannot disable it.
The definition or signature update timestamp. “Last updated: [today or very recent date].”
A detection event from the past 90 days. Filter to “blocked” or “quarantined” items and show what your system caught. If your EDR has not logged a single detection or blocked item in three months, it is either doing great or not properly monitoring. The assessor will note this.
Your email gateway filtering console if you use one. Show a few blocked messages.
Your incident response procedure that covers malware detection so the assessor knows what you do when something is found.

If you cannot pull up this evidence in the assessment, you fail the practice.

Common failures

Endpoint count doesn’t match inventory. Your EDR dashboard shows 20 devices but you have 25 in scope, or you have 20 enrolled but only 17 are actually reporting. Machines get reimaged, replaced, or fall off management and nobody notices. The assessor will count the devices you say are in scope and verify enrollment in the console. Make sure your EDR enrollment matches your device inventory before the assessment.

Real-time protection is off or optional. Your policy allows users with local admin to disable real-time scanning, or real-time scanning is disabled by default and you rely on scheduled scans. The assessor will ask: “Can a user turn off protection?” If the answer is yes for anyone with admin rights, you have a gap.

No visibility into detection activity. You have antivirus deployed but you don’t maintain a log of what was detected, blocked, or quarantined. You have no alerts configured, so malware could be sitting in quarantine for days without anyone knowing.

Signature updates lag. Definitions are from a week ago or older. Not critical if it is one week, but if your last signature update is from a month ago, the assessor will note the risk.

If you use an MSP or MSSP

Your managed service provider typically manages the EDR or antivirus deployment, pushes updates, and responds to alerts. Bring the MSP representative into the assessment or have them provide a letter or signed attestation that they manage malware protection for your endpoints.

The assessor will still want to see the console output showing:

Your endpoints are enrolled under your organization’s account or tenant.
Definitions are current.
Real-time protection is enabled.
At least one detection or blocked item in the detection log.

Ask your MSP to run the console pull-down during the pre-assessment kickoff so you have the screenshots ready. The assessor expects you to own the evidence even if the MSP operates the tool.

Cross-reference: AU.L2-3.3.1 requires audit logging of system activity. EDR generates detailed logs of detections and actions, which satisfies part of the audit requirement.

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Q&A: What the assessor asks and what good answers sound like

How many endpoints do you have in the CUI boundary and how many have malware protection?

We have 25 endpoints in the boundary. [Pull up the EDR console] All 25 are enrolled and reporting. Here's the device list showing status for each one.

Can you show me the EDR console?

[Log into EDR console, share screen] Here's the dashboard. You can see every endpoint, its protection status, and the last check-in time. Everything is current.

When were definitions or signatures last updated?

[Point to EDR dashboard] Definitions updated automatically. Last update was yesterday. You can see the version number here on each endpoint.

Can a user disable real-time protection?

No. [Pull up the Intune compliance policy] We enforce tamper protection through policy. Even users with local admin can't turn it off. Here's the policy setting.

Show me a detection event from the past few months.

[Filter EDR console to last 90 days] Here's a blocked phishing payload from February. User clicked a link, EDR caught it at execution, quarantined the file. Our SOC was notified and confirmed it was contained.

What is your process when malware is detected?

Our MSSP's SOC gets the alert immediately. They investigate, contain if needed, and notify us. [Pull up the IRP] Section 4 covers our malware response procedures. If it's confirmed malicious beyond a blocked event, it gets escalated to an incident ticket.

This page reflects assessment practices for CMMC Level 2 and is not official NIST guidance. Your organization is responsible for interpreting CMMC requirements in the context of your systems and environment. Consult NIST SP 800-171 and your C3PAO for definitive guidance.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

All Practices SI.L2-3.14.1: Flaw Remediation →