DoD Contractor Considerations for CMMC Practice Guide SI.L1-3.14.4

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

DoD Contractor Considerations for CMMC Practice Guide SI.L1-3.14.4

Editor’s note: This article is one of a series of articles about the CMMC Level 1 Practices. In these articles we dive into the CMMC Practice Guides and provide our thoughts about the practices and what contractors should consider. The CMMC ecosystem is still developing, and as those developments occur, we will update these articles accordingly. As such, we hope that these articles represent an evergreen CMMC Level 1 resource.

Practice Title: Update Malicious Code Protection
Practice Number: SI.L1-3.14.4
Practice: Update malicious code protection mechanisms when new releases are available.

Assessment Objectives
Determine if:
[a] malicious code protection mechanisms are updated when new releases are available.

(source: CMMC ML-1 Assessment Guide)

Overview of SI.L1-3.14.4

CMMC Level 1 contains three highly related practices that collectively set forth requirements for endpoint protection, i.e., antivirus. This is the second such practice.

If Malicious Code Protection (SI.L1-3.14.2) is the parent requirement, then Update Malicious Code Protection (SI.L1-3.14.4) and System & File Scanning (SI.L1-3.14.5) are fraternal twins.

Update Malicious Code Protection

Endpoint protection software, like any software, requires updates. Endpoint protection software updates usually come in a few flavors:

  • Malware signature and/or behavioral definition updates
  • Software patches
  • New major versions

Endpoint protection tools use a variety of mechanisms to detect malware, such as malware signature and behavioral analysis. Because malware is constantly evolving, endpoint protection software providers issue regular definition updates to keep pace with the threats. These updates are issued at least daily. Microsoft releases updates for Defender around six times per day!

This CMMC Level 1 practice has a single assessment objective, and that is to ensure that that definition updates are applied when they are available.

To comply with this practice, organizations should use a centrally managed endpoint protection, rather than one off installations on user devices. If not centrally managed, users likely have the ability to disable the automatic updates or even disable the software entirely.

Centrally managed endpoint protection tools also commonly provide reporting capabilities that will show the definition version and when it was last updated for each protected endpoint. Without such reporting, your assessor may need to manually inspect devices to determine whether this practice is implemented.


Most endpoint protection software can keep itself up to date without any issues. Occasionally, however, something goes wrong. The endpoint protection software may never be installed, be accidentally removed, or lose the ability to phone home to the centralized management server.

CMMC Level 2 contains practice requirements for Security Control Assessments (CA.L2-3.12.1) and Security Control Monitoring (CA.L2-3.12.3). Adding a layer of monitoring and periodic assessments to your endpoint protection controls will help identify noncompliant endpoints and support Level 2 requirements. Monitoring and assessment activities to consider include:

  • Periodic reconciliation of devices reported in the endpoint protection administration console to asset inventories will identify unprotected devices. (Supports SI.L1-3.14.2 – Malicious Code Protection)
  • Periodic inspection of devices in the endpoint protection administration console to identify misconfigured and out of date software. (SI.L1-3.14.4 – Update Malicious Code Protection and SI.L1-3.14.5 – System & File Scanning)


Teenagers have always had their own dialect. Aided by technology, however, today’s slang changes as often as the weather and spreads faster than glitter in a kindergarten class. Parents, however, also benefit from the technology; they have various online dictionaries they can use to keep up with their teen’s latest vernacular. No cap! Amirite fam?

Like teen dialect, malware is in a constant state of evolution and change. Endpoint protection tools, likewise, need to be updated so they can keep up with the latest malware. Thankfully, updating malware protection takes less effort than yeeting those cheugy jeans.

Endpoint protection software is almost always configured by default to automatically update protection definitions. So, organizations that have implemented Malicious Code Protection (SI.L1-3.14.2) will probably also have implemented Update Malicious Code Protection (SI.L1-3.14.4) without doing anything extra, which is totally lit.

Many DoD contractors will not have the expertise or resources needed to perform a CMMC CMMC RPOreadiness assessment, identify the gaps, and develop corrective action plans. In these cases, the contractors are turning to cybersecurity consultants with knowledge of NIST and the CMMC framework. If you want to learn more about CMMC, Keiter’s team of cybersecurity specialists can help you. Email | Call: 804.747.0000.

Our team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.

Share this Insight:

About the Author

Christopher Moschella

Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.

More Insights from Christopher Moschella

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.


Contact Us