CMMC 3.14: System Integrity, Malware Defense, and Monitoring

Paul Netopski

Welcome back to CMMC Unlocked. I’m Paul Netopski, here with Roz the Rulemaker. Today we’re in the System and Information Integrity family, specifically 3.14.1 through 3.14.7. [calm] Assessor-minded view here: these controls are the evidence trail for how an organization finds flaws, blocks malicious code, watches for attack activity, and detects misuse before it turns into an incident.

Roz the Rulemaker

Right, and if you strip away the numbering, the government is asking a very practical question: do you have a disciplined way to keep systems trustworthy? Not perfect, just governed. And governed in a way you can prove with records, settings, procedures, and actual operational evidence.

Paul Netopski

Let’s start with 3.14.1, identify, report, and correct system flaws in a timely manner. This is basic vulnerability and patch discipline. The assessment criteria are very plain: your organization specifies the time to identify flaws, specifies the time to report them, specifies the time to correct them, and then actually does those things inside those windows.

Roz the Rulemaker

And that word specified matters. [emphatic] Assessors don’t want, well, we patch pretty fast. They want a policy or procedure that says something like critical flaws are reviewed within a defined period, reported to responsible personnel within a defined period, and remediated within a defined period. Then they’ll look for tickets, patch reports, change records, maybe vulnerability scan outputs, to see if practice matches policy.

Paul Netopski

Exactly. If you’ve got a patching procedure, a vulnerability management workflow, and logs showing deployment of fixes, you’re in much better shape. NIST SP 800-171A is what gives assessors the assessment procedures, so think in terms of examine, interview, test. Can they examine the procedure, interview admins, and test evidence of actual remediation?

Roz the Rulemaker

Then 3.14.2, malicious code protection at designated locations. [curious] Plain English: where have you decided malware defenses need to exist? Endpoints, email gateways, maybe servers, maybe web filtering points. Designated locations should be identified, and protection should be present there. If you leave that vague, you create a documentation hole.

Paul Netopski

Good artifact set here is an endpoint protection standard, AV or EDR console screenshots, host coverage reports, and maybe architecture diagrams showing where controls are placed. Then 3.14.3 says monitor security alerts and advisories and take action in response. That means somebody is watching vendor notices, threat intel sources, product alerts, and internal security alerts, and there’s a response action defined.

Roz the Rulemaker

Yes, not merely subscribed to a mailing list. [matter-of-fact] You need a triage habit. Alert review logs, ticket notes, escalation paths, maybe incident records. If a high-risk vulnerability notice comes in, what happens next? Who evaluates exposure? Who decides whether to patch, isolate, or monitor? Show that chain.

Paul Netopski

3.14.4 is straightforward: update malicious code protection mechanisms when new releases are available. In practice, keep AV signatures, engines, EDR agents, and related components current. Evidence can be centralized console status, update policies, version compliance reports, and exception handling when a system can’t update on schedule.

Roz the Rulemaker

Then 3.14.5 covers scans. Periodic scans of organizational systems, and real-time scans of files from external sources as they’re downloaded, opened, or executed. So now we’re talking defined scan frequency plus on-access or real-time protections. The assessor will want to know the frequency is defined, that periodic scans are performed at that frequency, and that files from external sources are scanned in real time.

Paul Netopski

And be careful here. A weekly scan scheduled in a tool is useful, but you also want proof it ran. [short pause] Job history, logs, dashboard exports, that kind of thing. For real-time scanning, policy settings and endpoint configuration matter.

Roz the Rulemaker

The last two are where organizations often get a little hand-wavy. 3.14.6 says monitor systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. That is broader than just perimeter firewall logs. You need some monitoring approach for systems and for traffic directions in and out.

Paul Netopski

Right. Think SIEM queries, IDS or IPS, firewall alerting, proxy logs, EDR telemetry, maybe managed detection if you use a provider. What matters is that attacks and indicators of potential attacks are actually monitored. Monitoring playbooks help here because they show who reviews what, how often, and what constitutes escalation.

Roz the Rulemaker

And 3.14.7, identify unauthorized use of organizational systems, starts with defining authorized use. That sounds almost too basic, but it is foundational. If you have not defined normal and permitted use, you cannot reliably identify abnormal and unauthorized use.

Paul Netopski

So your evidence might include acceptable use policy, role definitions, access rules, privileged access monitoring, login anomaly alerts, and investigations of suspicious activity. Short version: write it down, configure the tools, review the alerts, and preserve the records. That’s how this family stops being abstract.

Roz the Rulemaker

Now let’s make the crosswalk useful. Appendix D in SP 800-171 Rev. 2 maps these requirements to SP 800-53 controls, and that helps clarify what a mature implementation looks like. For this family, the big anchors are SI-2, SI-3, and SI-4. If you know those, the 3.14 requirements become much less mysterious.

Paul Netopski

3.14.1 aligns to SI-2, flaw remediation. So define timelines. That’s the first operational action. Critical, high, whatever categories you use, but they need documented response windows. Then build the workflow: identify flaw, report flaw, correct flaw, verify correction. Tickets, maintenance records, change approvals, vulnerability reports. Clean chain of custody.

Roz the Rulemaker

And documentation-wise, SP 800-18 is useful because it helps shape the system security plan. That’s where you describe how flaw management works in the environment, what systems are in scope, and who is responsible. SP 800-40 is especially relevant for patch and vulnerability management process design. If someone says, what should our remediation program look like, that publication is a sensible reference point.

Paul Netopski

Then 3.14.2, 3.14.4, and 3.14.5 all tie closely to SI-3, malicious code protection, with the scanning and update expectations that go with it. The implementation translation is: harden endpoints, deploy AV or EDR at identified locations, make sure update channels work, enforce real-time scanning for external files, and schedule periodic scans with defined frequencies.

Roz the Rulemaker

I’d add, document exceptions carefully. If a server cannot run standard endpoint protection, there should be a reason, an approval, and an alternative protection strategy. Assessors are usually more comfortable with a constrained exception than with an undocumented gap.

Paul Netopski

Agreed. For malware handling and operational response, SP 800-83 can help with practical anti-malware guidance, and SP 800-61 is the incident handling reference you want nearby. Because once an alert is real, you’ve crossed from monitoring into response, and the organization should have defined steps for triage, containment, eradication, and reporting.

Roz the Rulemaker

That bridges into 3.14.3, alert and advisory monitoring. Appendix D’s value here is that it pushes you to think beyond inbox subscriptions. What are your sources? Vendor advisories, threat notices, platform alerts, internal detections. What’s the workflow? Review, evaluate relevance, assign action, record disposition. If it isn’t logged, it’s difficult to prove.

Paul Netopski

And 3.14.6 maps to SI-4, system monitoring. This is where organizations need to monitor inbound and outbound traffic, not just one side. Inbound tells you what’s trying to get in. Outbound tells you what may already be inside and talking out. That’s critical for detecting command-and-control, exfiltration indicators, or just misuse that policy alone won’t catch.

Roz the Rulemaker

Yes, and this is often where a playbook earns its keep. What events are reviewed daily? Which thresholds trigger escalation? Who owns firewall logs, who owns endpoint alerts, who owns SIEM tuning? Tuning matters, by the way. A noisy detection program can be functionally equivalent to no detection program because staff stop trusting it.

Paul Netopski

Well said. Then 3.14.7, unauthorized use detection, depends on defining what authorized use is. That can come from acceptable use, account management rules, remote access restrictions, and role-based permissions. Detection then becomes practical: impossible travel, unusual privilege use, prohibited software execution, after-hours admin activity, excessive failed logins. You don’t need magic, you need defined baselines and reviewed alerts.

Roz the Rulemaker

And if you want to validate whether your controls are actually working, SP 800-115 is a helpful assessment reference. Not for the certification decision itself, but for designing tests, technical checks, and validation activities. It helps answer the uncomfortable question: are we monitoring, or do we merely believe we are monitoring?

Paul Netopski

That’s the right note to end on. For this family, good implementation is disciplined operations plus durable evidence: policy, procedures, settings, logs, schedules, triage notes, incident records, and retained reports. That’s what makes 3.14 real in an assessment.

Eric Marquette

And that’s a solid place to leave it for today. Paul, Roz, great breakdown. We’ll keep unpacking these controls one family at a time. Thanks, gentlemen.

Roz the Rulemaker

Always a pleasure. See you next time.

Paul Netopski

Thanks, Eric. Thanks, Roz. Talk soon.