DoD Contractor Considerations for CMMC Practice Guide SI.L1-3.14.2

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

DoD Contractor Considerations for CMMC Practice Guide SI.L1-3.14.2

Editor’s note: This article is one of a series of articles about the CMMC Level 1 Practices. In these articles we dive into the CMMC Practice Guides and provide our thoughts about the practices and what contractors should consider. The CMMC ecosystem is still developing, and as those developments occur, we will update these articles accordingly. As such, we hope that these articles represent an evergreen CMMC Level 1 resource.

Practice Title: Malicious Code Protection
Practice Number: SI.L1-3.14.2
Practice: Provide protection from malicious code at appropriate locations within organizational information systems.

Assessment Objectives
Determine if:
[a] designated locations for malicious code protection are identified; and
[b] protection from malicious code at designated locations is provided.

Overview of SI.L1-3.14.2

Flashback to 1987 – I was 8 years old, the Giants beat the Broncos in Super Bowl XXI, IBM launched its second-generation personal computer (the PS/2), and John McAfee released VirusScan, the first commercial antivirus software.

As computers became more common in the workplace and at home, the necessity of antivirus became obvious to nearly all users.

Today, antivirus software can range from traditional file and system scanning solutions to full endpoint detection and response (EDR) services. For this article, however, we will simply use the term endpoint protection.

This is the first of three CMMC Level 1 requirements related to endpoint protection. Simply put, it requires organizations to deploy endpoint protection where necessary.

Designated Locations

The first assessment objective requires that organizations identify where endpoint protection software is needed [a]. It does not need to be installed on every device, but organizations should start with a risk-based analysis to determine where it is needed.

Identifying the impact and likelihood of malware on a device will help provide a clearer picture of the risk. Risk factors to consider might include:


  • Device connectivity to the Internet (likelihood)
  • Other protection tools upstream or downstream from the device (likelihood)
  • Ubiquity of malware on the platform (likelihood)
  • Extent of user device interaction (likelihood)


  • Device connectivity to other devices (impact)
  • Mission criticality (impact)
  • Data sensitivity (impact)

Given the above, it would be difficult to reasonably conclude that end user computers with Internet access and local network connectivity do not need endpoint protection. In contrast, a Linux server that serves an internal-facing web application, with CLI access limited to local admins (who do have endpoint protection software on their machines) via SSH might reasonably not have dedicated endpoint protection software.

Organizations will also consider the cost, performance impact, and availability of compatible endpoint protection software.

For example, if an organization serves a web application with a cluster of servers behind a load balancer it may be more performant and easier to use a firewall performing deep packet inspection on inbound traffic rather than endpoint protection software installed on every server in the cluster.

There is a lot of judgment when determining where endpoint protection software needs to be deployed. If your judgements are documented and reasonable, this assessment objective should not trouble most organizations.


Once you decide where you need to implement endpoint protection, now you have to install it and hit the “On” button. That is all there is to it, sort of. CMMC Level 1 has two more related practices that address two related areas.

  • L1-3.14.4 – Update Malicious Code Protection
  • L1-3.14.5 – System & File Scanning


Companies should consider using an endpoint protection system that provides an administrator console and reporting functions. An administrator console generally provides a centralized view of all assets protected by the software, the last time it was updated, configuration controls, and alert settings to notify administrators when malware is detected.

An administrator console will also generally provide reporting capabilities that can serve as implementation evidence during an assessment and support your senior official’s annual affirmation.


Most endpoint protection software can keep itself up to date without any issues. Occasionally, however, something goes wrong. The endpoint protection software may never be installed, be accidentally removed, or lose the ability to phone home to the centralized management server.

CMMC Level 2 contains practice requirements for Security Control Assessments (CA.L2-3.12.1) and Security Control Monitoring (CA.L2-3.12.3). Adding a layer of monitoring and periodic assessments to your endpoint protection controls will help identify noncompliant endpoints and support Level 2 requirements. Monitoring and assessment activities to consider include:


Computing without endpoint protection is a bit like skydiving without a parachute; both are destined to end poorly. Thankfully, “antivirus” has had over 30 years to embed itself in our collective consciousness as an essential cyber defense, and most organizations have already adopted a solution. So, aside from documenting where it should be deployed and why, most organizations will not have much additional work to satisfy CMMC’s Malicious Code Protection requirements.

Many DoD contractors will not have the expertise or resources needed to perform a CMMC CMMC RPOreadiness assessment, identify the gaps, and develop corrective action plans. In these cases, the contractors are turning to cybersecurity consultants with knowledge of NIST and the CMMC framework. If you want to learn more about CMMC, Keiter’s team of cybersecurity specialists can help you. Email | Call: 804.747.0000.

Our team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.

Share this Insight:

About the Author

Christopher Moschella

Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.

More Insights from Christopher Moschella

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.


Contact Us