What does SI.L2-3.14.4 require for CMMC Level 2?

Antivirus, EDR, and other malware protection tools must be kept current. Signature updates must be applied automatically or on a defined schedule. Outdated definitions mean you cannot detect current threats.

What evidence do I need for SI.L2-3.14.4?

Antivirus/EDR policy, configuration showing automatic updates enabled, update logs from the past 30 days, and verification that all systems are current.

What's the most common failure for SI.L2-3.14.4?

Antivirus is installed but definitions are weeks or months out of date. Or automatic updates are not configured, so updates are applied sporadically.

SI.L2-3.14.4

SI.L2-3.14.4: Update Malicious Code Protection

Update malicious code protection mechanisms as new releases are available.

Updated March 30, 2026

Outdated malware definitions mean you cannot detect current threats. SI.L2-3.14.4 requires that you keep malicious code protection (antivirus, EDR) current. Updates must be applied regularly, ideally automatically. The assessor will verify updates are current on all systems. Signature updates are part of your patch management strategy covered in SI.L2-3.14.1, working alongside SI.L2-3.14.2 (malware protection deployment).

Family System and Information Integrity

Practice SI.L2-3.14.4

Difficulty Easy

Key evidence AV/EDR policy, auto-update configuration, update logs, definition version checks

What the assessor is actually evaluating

The assessor will check:

Antivirus/EDR deployment: All in-scope systems should have antivirus or EDR installed.
Automatic updates: Signature updates should be configured to apply automatically. The default interval is typically daily or multiple times daily.
Current definitions: On sampled systems, the assessor will verify that signature/definition versions are current (usually within the past 1-7 days).

What a realistic SSP definition looks like

Policy: “The organization deploys antivirus or EDR on all in-scope systems. Malware signature and definition updates are configured to update automatically daily. Updates are applied without manual intervention. The IT team verifies monthly that all systems have current definitions.”

Supporting details:

Antivirus tool: Windows Defender (built-in) or third-party (e.g., Kaspersky, Symantec).
EDR tool: Carbon Black or Crowdstrike for high-priority systems.
Automatic updates: Configured via Group Policy or tool settings to update signatures daily at 2:00 AM.
Verification: Monthly review of signature versions on all systems. Any systems more than 7 days behind are escalated.

How to present your evidence

Evidence checklist

Antivirus/EDR policy document with update schedule
Group Policy or configuration enforcing automatic daily updates
Update logs from past 30 days showing recent signature versions
Definition version verification from 5-10 sampled systems
Monthly verification report showing all systems current

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: “How do you keep your antivirus and malware protection current?”

You: “All systems have Windows Defender (or equivalent). Signature updates are configured to update automatically daily. We verify monthly that definitions are current.” [Pull up antivirus policy and Group Policy screenshots]

Assessor: “Show me the definition version on your systems.”

You: [Open Windows Defender settings or run Get-MpComputerStatus on a system, showing the signature version is recent (e.g., from today or yesterday)]

Assessor: “How often are definitions updated?”

You: “Daily, automatically at 2:00 AM. Updates are applied without user intervention.” [Show the update schedule in the AV settings]

Assessor: “What is your process if a system falls behind?”

You: “We check monthly. If a system is more than a week behind, we escalate to IT for immediate update.” [Show a monthly verification report]

Common failures

Antivirus definitions are outdated: Signature version is from 2-4 weeks ago. The system cannot detect recent malware.

No automatic updates configured: Signature updates are not automated. Updates happen sporadically, creating gaps.

Inconsistent deployment: Some systems have antivirus, others do not. Or some antivirus instances are out of date while others are current.

No verification process: The organization does not check whether definitions are current. Outdated definitions go undetected.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Automatic daily signature updates: Updates are configured to apply automatically without user action. Definitions are verified to be current.

Consistent deployment: All in-scope systems have AV/EDR with current definitions.

If you use an MSP/MSSP

If your MSP manages antivirus or EDR, ensure the service agreement specifies automatic daily updates. Request monthly reports showing definition versions across all managed systems. Verify that no systems are more than 7 days behind.

This guide is for reference only and does not replace official CMMC documentation or professional compliance advice.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← SI.L2-3.14.5: System and File Scanning All Practices SI.L2-3.14.3: Security Alerts →