Skip to main content
Greypike's CMMC Knowledge Base

Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.

If you cannot find an answer then contact us or click the chat button on the lower right..

< All Topics
Print

System and Information Integrity (SI)

System and Information Integrity (SI) is one of the 14 security control families in NIST SP 800-171 Revision 2, which forms the foundation of CMMC Level 2 requirements. The SI family focuses on identifying, preventing, and responding to system flaws, malicious code, and unauthorized system activity.

The SI control family contains 7 security requirements (3.14.1 through 3.14.7) that protect the integrity and availability of contractor information systems processing, storing, or transmitting Controlled Unclassified Information (CUI). These controls ensure that systems remain secure, operational, and free from compromise.

SI requirements address:

  • Timely identification and remediation of system vulnerabilities
  • Protection against malicious code and malware
  • Security monitoring and alerting
  • System scanning and threat detection
  • Detection of unauthorized system use

The SI family works in conjunction with other control families—particularly Audit and Accountability (AU), Incident Response (IR), and Configuration Management (CM)—to create a comprehensive security monitoring and response capability.

The 7 System and Information Integrity Requirements

3.14.1: Identify, Report, and Correct System Flaws in a Timely Manner

Requirement: Organizations must identify systems affected by software and firmware flaws, report vulnerabilities to designated personnel, and remediate them according to risk-based timelines.

What This Means:

Organizations must establish formal processes for vulnerability management that include:

  • Flaw identification: Continuously monitor for newly announced vulnerabilities affecting your systems using resources like the Common Vulnerabilities and Exposures (CVE) database and Common Weakness Enumeration (CWE)
  • Impact assessment: Determine which systems are affected by each announced flaw and assess potential impact
  • Reporting: Report identified flaws to designated information security personnel with authority to prioritize remediation
  • Timely remediation: Apply patches, updates, or compensating controls based on severity

Remediation Timelines:

The CMMC Assessment Guide and industry best practices typically recommend:

  • Critical vulnerabilities: 30 days or less
  • High vulnerabilities: 90 days or less
  • Medium/low vulnerabilities: Based on organizational risk assessment

Implementation Methods:

  • Vulnerability scanning tools that identify missing patches
  • Subscription to vendor security bulletins and notifications
  • Documented vulnerability management policy with defined timelines
  • Patch management system for tracking and deploying updates
  • Testing procedures to validate patches before production deployment

Common Tools:

  • Vulnerability scanners (Nessus, Qualys, Rapid7)
  • Patch management platforms (WSUS, SCCM, Automox)
  • Asset management systems to track software inventory

Assessment Objective: Assessors verify that your organization has processes to identify, report, and remediate system flaws within defined timelines, supported by documentation and evidence of patch deployment.


3.14.2: Provide Protection from Malicious Code at Designated Locations Within Organizational Systems

Requirement: Deploy malicious code protection mechanisms at system entry and exit points to detect and prevent malware.

What This Means:

Implement anti-malware protection at critical points: endpoints (workstations, laptops, servers), email gateways, web gateways, file servers, and removable media access points.

Protection mechanisms include signature-based detection, behavior-based detection, heuristic analysis, sandboxing, and reputation-based filtering.

Common Tools: Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne, Symantec Endpoint Protection, Proofpoint/Mimecast for email security.

Assessment Objective: Assessors verify that malicious code protection is deployed at designated locations and actively detecting/preventing threats.


3.14.3: Monitor System Security Alerts and Advisories and Take Action in Response

Requirement: Organizations must monitor security alerts and advisories from authoritative sources and respond appropriately.

What This Means:

Stay informed about emerging threats, vulnerabilities, and security guidance from trusted sources:

Authoritative Sources:

  • US-CERT/CISA: Cybersecurity and Infrastructure Security Agency alerts
  • Vendor security bulletins: Microsoft, Cisco, Adobe, etc.
  • Industry information sharing organizations: ISACs relevant to your sector
  • NIST National Vulnerability Database: NVD for CVE information
  • Security intelligence services: Commercial threat intelligence feeds

Response Actions Required:

  • Review alerts and determine applicability to your environment
  • Assess risk and prioritize response based on threat severity
  • Implement recommended mitigations or patches
  • Document actions taken in response to alerts
  • Communicate relevant threats to appropriate personnel

Implementation Methods:

  • Documented process for monitoring security alerts
  • Designated personnel responsible for alert review
  • Ticketing system to track alert response actions
  • Regular review meetings to discuss emerging threats
  • Integration with vulnerability management processes

Assessment Objective: Assessors verify that your organization monitors relevant security sources and has documented evidence of responding to applicable alerts.


3.14.4: Update Malicious Code Protection Mechanisms When New Releases Are Available

Requirement: Keep anti-malware and security protection tools current by applying updates as they become available.

What This Means:

Malware evolves rapidly, and protection mechanisms must be updated frequently to remain effective:

Updates Include:

  • Signature definitions: New virus/malware signatures (typically daily or more frequently)
  • Detection engines: Updates to the core scanning technology
  • Behavioral rules: New heuristic detection patterns
  • Threat intelligence: Updated indicators of compromise (IOCs)

Implementation Methods:

  • Automatic updates enabled for antivirus/anti-malware signature definitions
  • Scheduled updates for detection engines and software components
  • Verification that updates are successfully deploying across all protected systems
  • Backup/fallback mechanisms if automatic updates fail
  • Documentation of update frequency and verification procedures

Update Frequency:

  • Signature definitions: Multiple times daily (automatic)
  • Detection engines: As released by vendor (weekly to monthly)
  • Major software versions: Tested and deployed per change management process

Common Tools:

  • Enterprise antivirus management consoles showing update status
  • Endpoint management platforms
  • Security Information and Event Management (SIEM) for monitoring update compliance

Assessment Objective: Assessors verify that malicious code protection mechanisms are configured to receive automatic updates and evidence shows current protection across systems.


3.14.5: Perform Periodic Scans of Organizational Systems and Real-Time Scans of Files from External Sources

Requirement: Conduct regular scheduled scans of systems and perform real-time scanning of files as they are accessed, downloaded, or executed.

What This Means:

Periodic Scans: Full system scans weekly/monthly, quick scans daily, on-demand scans as needed.

Real-Time Scans: Scan files immediately when downloaded, received via email, copied from removable media, or accessed by users.

Coverage: All systems that process, store, or transmit CUI. Quarantine detected threats automatically.

Implementation: Enable real-time protection on endpoints, configure scheduled scans, monitor completion, review results, document policies and schedules.

Assessment Objective: Assessors verify scanning is configured, scans complete successfully, real-time protection is active, and results are reviewed.


3.14.6: Monitor Organizational Systems, Including Inbound and Outbound Communications Traffic, to Detect Attacks and Indicators of Potential Attacks

Requirement: Continuously monitor systems and network traffic to detect malicious activity, attacks, and indicators of compromise.

What This Means:

Implement security monitoring capabilities that provide visibility into:

System Monitoring:

  • Log collection from servers, workstations, network devices
  • Security event correlation and analysis
  • User activity monitoring
  • Privilege escalation attempts
  • System configuration changes

Network Traffic Monitoring:

  • Inbound traffic: Detect incoming attacks, port scans, exploit attempts
  • Outbound traffic: Identify data exfiltration, command-and-control communications, malware beaconing
  • Internal lateral movement: Detect attackers moving between systems

Indicators to Monitor:

  • Failed authentication attempts (brute force attacks)
  • Unusual network traffic patterns or volumes
  • Connections to known malicious IP addresses or domains
  • Malware signatures or behavioral patterns
  • Privilege escalation or unauthorized access attempts
  • Data transfers to unusual destinations

Implementation Methods:

  • Security Information and Event Management (SIEM) system for log aggregation and correlation
  • Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS)
  • Network traffic analysis tools
  • Endpoint Detection and Response (EDR) solutions
  • Security Operations Center (SOC) or managed security service provider (MSSP) for 24/7 monitoring

Common Tools:

  • Splunk, Microsoft Sentinel, or other SIEM platforms
  • Suricata, Snort (IDS/IPS)
  • Zeek (network security monitoring)
  • EDR platforms with threat hunting capabilities

Assessment Objective: Assessors verify that monitoring capabilities are implemented, actively collecting and analyzing security events, and alerts are being investigated and responded to.


3.14.7: Identify Unauthorized Use of Organizational Systems

Requirement: Detect and identify when systems are being used by unauthorized individuals or for unauthorized purposes.

What This Means:

Implement monitoring and detection capabilities that identify:

Unauthorized Users:

  • Access from accounts without legitimate need
  • Shared account usage
  • Access from terminated employees
  • Compromised credentials being used by attackers

Unauthorized Activities:

  • Systems used outside authorized hours or locations
  • Unusual access patterns inconsistent with job role
  • Excessive data downloads or unauthorized data access
  • Installation of unauthorized software
  • Circumvention of security controls

Detection Methods:

  • User and Entity Behavior Analytics (UEBA): Baseline normal behavior and alert on anomalies
  • Access control logging: Track all system access attempts and compare against authorized users
  • Audit log review: Regular review of security logs for suspicious activity
  • Failed login monitoring: Multiple failed attempts may indicate credential attacks
  • Geographic anomalies: Access from unexpected locations
  • Time-based anomalies: Access during unusual hours

Indicators of Unauthorized Use:

  • Multiple failed login attempts
  • Access from unusual geographic locations
  • Access during non-business hours without justification
  • Privilege escalation attempts
  • Unusual file access or modification patterns
  • Use of disabled or deleted accounts

Implementation Methods:

  • Enable comprehensive audit logging on all systems
  • Implement SIEM correlation rules for unauthorized access patterns
  • Deploy User and Entity Behavior Analytics (UEBA) tools
  • Establish baseline user behavior profiles
  • Regular audit log reviews by security personnel
  • Automated alerting for suspicious activities

Response Actions:

  • Investigate alerts of potential unauthorized use
  • Temporarily disable suspect accounts pending investigation
  • Reset credentials if compromise suspected
  • Document investigation findings
  • Update access controls based on findings

Assessment Objective: Assessors verify that monitoring capabilities can detect unauthorized system use, alerts are investigated, and evidence shows response to unauthorized access attempts.


Implementation Considerations

Integrated Approach: SI controls work with Audit and Accountability (AU), Incident Response (IR), Configuration Management (CM), and Access Control (AC) for comprehensive security.

Technology Requirements:

  • Endpoint protection (antivirus, anti-malware, EDR)
  • Vulnerability scanning and patch management
  • SIEM for log collection and correlation
  • Network monitoring (IDS/IPS)
  • Security automation tools

Documentation Requirements:

  • Vulnerability management policy with timelines
  • Malicious code protection policy
  • Security monitoring procedures
  • Scanning schedules and results
  • Alert response documentation

Common Challenges:

  • Resource constraints: Consider cloud-based security services or managed providers
  • Alert fatigue: Tune detection rules and prioritize critical alerts
  • Patching complexity: Use automated patch management and compensating controls for systems that cannot be patched
  • Coverage gaps: Implement VPN requirements and mobile device management for remote workers

Assessment Tips:

  • 3.14.1: Document vulnerability scans, patch deployment, remediation timelines
  • 3.14.2/3.14.4: Show antivirus deployed everywhere, current signatures, designated protection locations
  • 3.14.3: Maintain alert sources list, document reviews and actions
  • 3.14.5: Provide scan schedules, completion reports, real-time protection evidence
  • 3.14.6/3.14.7: Demonstrate monitoring platform, alert investigations, response to suspicious activity

Key Takeaways

  1. SI protects system integrity through flaw remediation, malware protection, and monitoring
  2. Seven requirements address vulnerabilities, malicious code, security alerts, scanning, and unauthorized use detection
  3. Timely action is critical: Flaw remediation must occur within risk-based timeframes
  4. Multi-layered protection: Combine periodic scanning, real-time protection, and continuous monitoring
  5. Integration matters: SI works with AU, IR, and CM for comprehensive security
  6. Documentation required: Policies, procedures, scan results, alert responses, and investigation records
  7. Tools needed: Antivirus, vulnerability scanners, patch management, SIEM, IDS/IPS, EDR
  8. All 7 requirements must be MET for CMMC Level 2 Final Status—no POA&Ms allowed for critical SI controls (3.14.1, 3.14.2, 3.14.4, 3.14.5)

System and Information Integrity controls form the foundation of proactive threat detection and response, ensuring that organizations can identify, prevent, and remediate security issues before they result in CUI compromise.


Sources:

  • NIST SP 800-171 Revision 2 – System and Information Integrity (3.14)
  • NIST SP 800-171A – Assessment Procedures for NIST SP 800-171
  • DoD CMMC Assessment Guide – Level 2
  • 32 CFR Part 170 – CMMC Program Requirements
Table of Contents