CMMC System Integrity: Antivirus, Updates, and Malware Protection

CMMCheck

CMMCheck

5 min read
CMMC System Integrity: Antivirus, Updates, and Malware Protection

System and Information Integrity is about keeping bad stuff out of your systems and keeping those systems working properly. Viruses, ransomware, spyware, and other malicious software are constant threats. Security flaws in the software you use create openings for attackers. This domain addresses both.

CMMC Level 1 has four requirements in System and Information Integrity. They cover familiar ground: antivirus protection, software updates, and regular scanning. Most businesses already do these things—the gap is usually in consistency and documentation.

If you have antivirus software running and keep your systems updated, you're most of the way there. Let's break down what each requirement actually asks for.

SI.L1-3.14.1: Flaw Remediation

Plain English: Fix security problems in your software in a timely manner.

Every piece of software has flaws. Operating systems, applications, firmware—they all have vulnerabilities that get discovered over time. When vendors find these flaws, they release patches and updates to fix them. This requirement says you need to apply those fixes, not ignore them.

The key phrase is "timely manner." You don't need to drop everything the moment an update appears, but you can't let patches sit for months either. Critical security updates should be applied promptly—within days, not weeks or months.

What This Looks Like in Practice

Operating system updates are enabled. Windows Update, macOS Software Update—these should be turned on and functioning. Automatic updates are the easiest approach for most small businesses. Updates get installed without someone having to remember to do it.

Application updates are applied. It's not just the operating system. Your web browsers, PDF readers, office software, and business applications all need updates. Many applications update automatically; others require manual attention. Either way, they need to stay current.

Someone pays attention to security alerts. When a critical vulnerability makes the news—like a major Windows flaw or a widely-exploited browser bug—someone in your organization should notice and verify your systems are patched. You don't need a dedicated security team, but you need awareness.

Legacy systems are addressed. If you're running old software that no longer receives security updates, that's a problem. Windows 7, for example, hasn't received security patches since 2020. Systems like this need to be upgraded, isolated, or replaced.

Evidence You'll Need

  • Screenshots showing automatic update settings are enabled
  • Patch logs or update history from your systems
  • Documentation of your update process or policy

SI.L1-3.14.2: Malicious Code Protection

Plain English: Have antivirus and anti-malware protection on your systems.

Malicious code comes in many forms: viruses that corrupt your files, ransomware that encrypts your data and demands payment, spyware that steals information, trojans that give attackers remote access. You need protection against all of it.

This requirement is straightforward—you need antivirus or anti-malware software protecting your systems.

What This Looks Like in Practice

Antivirus is installed on all computers. Every workstation and laptop that handles FCI should have antivirus protection. No exceptions for "that computer doesn't go on the internet much" or "it's just used for one thing."

Real-time protection is enabled. Antivirus software should be actively monitoring, not just sitting there waiting for you to run a manual scan. Real-time protection catches threats as they arrive—when you download a file, open an email attachment, or visit a website.

The software is actually running. It sounds obvious, but antivirus that's been disabled, expired, or crashed isn't protecting anything. Verify it's active and functioning.

Evidence You'll Need

  • Screenshots of antivirus dashboards showing protection is active
  • List of systems and their antivirus status
  • Evidence that real-time protection is enabled

SI.L1-3.14.4: Update Malicious Code Protection

Plain English: Keep your antivirus definitions current.

Antivirus software works by recognizing known threats. It compares files and behaviors against a database of malware signatures. But new malware appears constantly—thousands of new variants every day. If your definitions are outdated, your antivirus won't recognize recent threats.

This requirement ensures your malware protection stays current, not frozen at whatever definitions it had when you installed it.

What This Looks Like in Practice

Automatic updates are enabled. Nearly all modern antivirus software updates automatically. This should be turned on. Definitions should update at least daily—most products update multiple times per day.

Updates are actually happening. Don't assume it's working. Periodically check that definitions have been updated recently. If the last update was three weeks ago, something's wrong.

Update failures are noticed. If your antivirus can't reach update servers—maybe due to network issues or expired subscriptions—you need to know. Many products alert you when updates fail. Pay attention to those warnings.

Evidence You'll Need

  • Screenshots showing automatic updates are enabled
  • Update logs showing recent definition updates
  • Evidence of the last successful update date

SI.L1-3.14.5: System and File Scanning

Plain English: Regularly scan your systems for malware.

Real-time protection catches most threats as they arrive, but it's not perfect. Some malware evades initial detection. Some threats arrive through channels that aren't monitored in real-time. Regular full-system scans provide a safety net, catching anything that slipped through.

What This Looks Like in Practice

Scheduled scans are configured. Set up your antivirus to run full system scans automatically—weekly at minimum. Schedule them for times when computers are on but not heavily used, like overnight or during lunch.

Scans actually complete. A scan that starts but gets interrupted doesn't count. Make sure scheduled scans have enough time to finish. Check occasionally that they're completing successfully.

Downloads and attachments are scanned. Files from the internet and email attachments are high-risk. Your antivirus should scan these automatically when they arrive, not just during scheduled full scans. Most modern products do this by default.

Scan results are reviewed. If a scan finds something, someone needs to notice and respond. Don't let threats sit in quarantine indefinitely without investigation.

Evidence You'll Need

  • Screenshots showing scheduled scan configuration
  • Scan logs showing completed scans
  • Evidence that scan results are reviewed

Recommendations for Small Businesses

You don't need to spend a fortune on endpoint protection. Here's practical guidance for meeting these requirements cost-effectively:

Windows Defender is acceptable. If you're running Windows 10 or 11, Windows Defender (now called Microsoft Defender) is built in and free. It consistently performs well in independent testing and meets Level 1 requirements. You don't need to buy additional antivirus if Defender is properly configured and maintained.

If you want more, consider established options. Products like Malwarebytes, Bitdefender, Norton, and ESET all provide solid protection. Some offer business versions with central management, which makes it easier to verify all systems are protected. But for basic Level 1 compliance, Windows Defender works fine.

Enable automatic updates everywhere. Operating systems, applications, antivirus—turn on automatic updates for everything that supports it. This is the simplest way to stay current without requiring constant attention. Check periodically that updates are actually happening.

Schedule weekly scans. Configure a full system scan at least weekly. Pick a time when computers are typically on but idle. For most offices, overnight on a weekday or during lunch works well. Some businesses run scans over the weekend.

Don't disable protection for convenience. When software asks you to turn off antivirus for installation, be skeptical. When updates seem annoying, don't disable them. The momentary convenience isn't worth the security risk.

Centralized management helps. If you have more than a handful of computers, consider endpoint protection with a central dashboard. Being able to see the status of all your systems in one place makes it much easier to verify compliance and catch problems.

Assess Your System Integrity Compliance

Antivirus and updates might seem straightforward, but documentation is where many businesses fall short. Can you prove your protection is current across all systems? Do you have records of scans and updates?

CMMCheck helps you verify each System and Information Integrity requirement with clear yes/no questions. You'll know whether your current practices meet the standard—and what evidence you need to demonstrate compliance.

Ready to check your CMMC Level 1 readiness? Try CMMCheck and assess your compliance in plain English.

This article is part of CMMCheck's Plain English CMMC Level 1 Guide, a complete resource for small businesses navigating DoD cybersecurity requirements.

Read more