3.14.2 — Deploy Anti-Malware

The One-Liner

Any CUI system without endpoint protection is an instant finding — workstations, servers, and everything in between.

What It Says

Provide protection from malicious code at designated locations within organizational systems.

What It Actually Means

Every system in your CUI environment that can run malicious code must have protection against it. Two things the assessor checks:

1. Designated locations are identified. You’ve documented which systems need malicious code protection. This means: all CUI workstations, all CUI servers, email gateways, web gateways, and any other system where malicious code could execute or transit. “Designated locations” is the NIST way of saying “everywhere malicious code could run or arrive.”

2. Protection is provided at those locations. Endpoint detection and response (EDR) or antivirus is installed, running, and active on every designated system. Not just installed — configured with real-time protection enabled, cloud-delivered protection enabled, and connected to a central management console where you can verify coverage.

Modern best practice is EDR over traditional antivirus. EDR provides behavioral detection, threat hunting, and automated response — traditional AV only catches known signatures. Most assessors expect EDR-level capability for Level 2.

This also includes protection at network boundaries — email filtering that scans attachments before delivery, web filtering that blocks known malicious sites, and potentially IDS/IPS at the perimeter. The requirement says “designated locations” — not just endpoints.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are designated locations for malicious code protection identified?	Documented list of system types requiring protection: endpoints, servers, email gateway, web gateway
2	Is protection from malicious code provided at those locations?	EDR/AV installed and active on every designated system — console showing 100% coverage

---

What to Have Ready on Assessment Day

Documents they’ll review: System and information integrity policy; procedures addressing malicious code protection; list of designated locations; system security plan; system configuration showing protection is enabled; EDR/AV management console showing coverage and status; records of malware detections and responses

People they’ll talk to: System or network administrators; information security personnel; personnel responsible for malicious code protection; personnel configuring and maintaining endpoint protection

Live demos they’ll ask for: “Show me your EDR console. What’s the coverage percentage?” “Pick a CUI server — show me protection is active.” “Show me a recent malware detection — what happened?” “Is real-time protection enabled on this workstation?”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Which systems have malicious code protection? Show me the list.”
• “Show me your EDR/AV management console — what’s your coverage rate?”
• “Are all CUI workstations covered? All servers?”
• “Pick a system — show me that protection is active and real-time scanning is enabled.”
• “Is email filtered for malicious attachments before delivery?”
• “Show me a recent detection — how was it handled?”
• “Are any systems excluded from protection? Why?”

Real-World Example

A defense contractor deploys Microsoft Defender for Endpoint on every CUI system — workstations and servers. The Defender portal shows 100% onboarding: all 47 CUI workstations and 6 CUI servers report healthy with real-time protection, cloud-delivered protection, and tamper protection enabled. Email protection is handled by Defender for Office 365 — attachments are scanned and detonated in a sandbox before delivery. Web protection is enabled through Defender SmartScreen, blocking known malicious URLs. The SOC dashboard shows: zero unprotected devices, average 4-hour detection-to-remediation time, and monthly reports of blocked threats. When the assessor picks a random CUI server and asks to verify, the admin pulls up the device page in the Defender portal showing: sensor health = active, real-time protection = on, signature version = today’s date, last scan = 6 hours ago.

---

Where Companies Trip Up

Incomplete coverage. Workstations are protected but servers aren’t — sometimes because of performance concerns, sometimes because of oversight. The assessor checks the EDR console and finds 85% coverage. Every CUI system needs protection — if a server has performance constraints, work with the vendor to tune the configuration rather than excluding it.

Outdated signatures. Protection is installed but signatures are days or weeks old. Modern EDR reduces dependency on signatures with behavioral detection, but the assessor still checks — and 3.14.4 specifically requires keeping protection current.

Real-time protection disabled. Someone disabled real-time scanning “temporarily” for a software installation and never re-enabled it. Verify real-time protection is active on every system. Tamper protection prevents users and even local admins from disabling it.

No central management. AV is installed on individual systems but there’s no central console to verify coverage, status, or detections. A management console is essential — you need to know that every system is protected, current, and reporting.

Servers exempted for performance. Database servers or application servers excluded because “AV slows them down.” This is a finding. Modern EDR agents are lightweight and can be tuned with exclusions for specific processes — but the protection must be present.

---

How to Talk About This

To a CEO or Board

Every CUI system has endpoint protection — workstations and servers — with real-time scanning, current signatures, and central monitoring. Our coverage is 100% verified through a management console. Email and web traffic are also scanned for malicious content before they reach users.

To an Engineering Team

Defender for Endpoint on all CUI endpoints and servers: real-time protection, cloud-delivered protection, tamper protection, automated investigation. Defender for Office 365: safe attachments + safe links. SmartScreen for web protection. 100% onboarding verified in Defender portal. Alert queue reviewed daily. Monthly detection/response metrics reported. No exclusions without documented justification and compensating control.

---

Connected Requirements

Requirement	Why it matters here
3.14.4 — Keep Protection Current	Malware protection mechanisms must be updated — this requirement deploys them, 3.14.4 keeps them current
3.14.5 — Scan Regularly	Periodic scans complement the real-time protection deployed here
3.4.8 — Whitelist or Blacklist Software	Application control complements malware protection — defense in depth
3.14.6 — Watch the Network	Network monitoring provides additional detection beyond endpoint protection

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: SI.L2-3.14.2 | SPRS Weight: 5 points | POA&M Eligible: No