Welcome to the CMMC Knowledgebase. Search for CMMC, resources, tools, sources, sites, and platforms using the search box below.
We add more to the database weekly, check back often.
If you cannot find an answer then contact us or click the chat button on the lower right..
-
Artificial Intelligence (AI)
-
CMMC Fundamentals
-
CMMC Levels & Requirements
-
The 14 Control Families
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Configuration Management (CM)
- Identification and Authentication (IA)
- CMMC Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Personnel Security (PS)
- Physical Protection (PE)
- Risk Assessment (RA)
- Security Assessment (CA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
-
Implementation Roadmaps
-
Industry-Specific Guides
-
CMMC Documentation & Evidence
-
SPRS & Self-Assessment
-
CMMC Costs & Budgeting
-
Technology & Tools
-
CMMC Training & Awareness
-
Policies & Procedures
- How to Submit Your SPRS Score: PIEE Step-by-Step Guide [2026 Update]
- CMMC Policies and Procedures: What Documentation You Need
- How to Write a System Security Plan: The Owner's Guide to the One Document That Gates Everything
- Creating a Plan of Action and Milestones for CMMC
- Documenting Evidence for CMMC Assessment
-
Supply Chain & Third-Party Risk
-
Incident Response & Breach Reporting
-
Common Mistakes & Failures
-
Advanced Topics & Level 2
-
Updates & Regulatory Changes
System and Information Integrity (SI)
System and Information Integrity (SI) is one of the 14 security control families in NIST SP 800-171 Revision 2, which forms the foundation of CMMC Level 2 requirements. The SI family focuses on identifying, preventing, and responding to system flaws, malicious code, and unauthorized system activity.
The SI control family contains 7 security requirements (3.14.1 through 3.14.7) that protect the integrity and availability of contractor information systems processing, storing, or transmitting Controlled Unclassified Information (CUI). These controls ensure that systems remain secure, operational, and free from compromise.
SI requirements address:
- Timely identification and remediation of system vulnerabilities
- Protection against malicious code and malware
- Security monitoring and alerting
- System scanning and threat detection
- Detection of unauthorized system use
The SI family works in conjunction with other control families—particularly Audit and Accountability (AU), Incident Response (IR), and Configuration Management (CM)—to create a comprehensive security monitoring and response capability.
The 7 System and Information Integrity Requirements
3.14.1: Identify, Report, and Correct System Flaws in a Timely Manner
Requirement: Organizations must identify systems affected by software and firmware flaws, report vulnerabilities to designated personnel, and remediate them according to risk-based timelines.
What This Means:
Organizations must establish formal processes for vulnerability management that include:
- Flaw identification: Continuously monitor for newly announced vulnerabilities affecting your systems using resources like the Common Vulnerabilities and Exposures (CVE) database and Common Weakness Enumeration (CWE)
- Impact assessment: Determine which systems are affected by each announced flaw and assess potential impact
- Reporting: Report identified flaws to designated information security personnel with authority to prioritize remediation
- Timely remediation: Apply patches, updates, or compensating controls based on severity
Remediation Timelines:
The CMMC Assessment Guide and industry best practices typically recommend:
- Critical vulnerabilities: 30 days or less
- High vulnerabilities: 90 days or less
- Medium/low vulnerabilities: Based on organizational risk assessment
Implementation Methods:
- Vulnerability scanning tools that identify missing patches
- Subscription to vendor security bulletins and notifications
- Documented vulnerability management policy with defined timelines
- Patch management system for tracking and deploying updates
- Testing procedures to validate patches before production deployment
Common Tools:
- Vulnerability scanners (Nessus, Qualys, Rapid7)
- Patch management platforms (WSUS, SCCM, Automox)
- Asset management systems to track software inventory
Assessment Objective: Assessors verify that your organization has processes to identify, report, and remediate system flaws within defined timelines, supported by documentation and evidence of patch deployment.
3.14.2: Provide Protection from Malicious Code at Designated Locations Within Organizational Systems
Requirement: Deploy malicious code protection mechanisms at system entry and exit points to detect and prevent malware.
What This Means:
Implement anti-malware protection at critical points: endpoints (workstations, laptops, servers), email gateways, web gateways, file servers, and removable media access points.
Protection mechanisms include signature-based detection, behavior-based detection, heuristic analysis, sandboxing, and reputation-based filtering.
Common Tools: Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne, Symantec Endpoint Protection, Proofpoint/Mimecast for email security.
Assessment Objective: Assessors verify that malicious code protection is deployed at designated locations and actively detecting/preventing threats.
3.14.3: Monitor System Security Alerts and Advisories and Take Action in Response
Requirement: Organizations must monitor security alerts and advisories from authoritative sources and respond appropriately.
What This Means:
Stay informed about emerging threats, vulnerabilities, and security guidance from trusted sources:
Authoritative Sources:
- US-CERT/CISA: Cybersecurity and Infrastructure Security Agency alerts
- Vendor security bulletins: Microsoft, Cisco, Adobe, etc.
- Industry information sharing organizations: ISACs relevant to your sector
- NIST National Vulnerability Database: NVD for CVE information
- Security intelligence services: Commercial threat intelligence feeds
Response Actions Required:
- Review alerts and determine applicability to your environment
- Assess risk and prioritize response based on threat severity
- Implement recommended mitigations or patches
- Document actions taken in response to alerts
- Communicate relevant threats to appropriate personnel
Implementation Methods:
- Documented process for monitoring security alerts
- Designated personnel responsible for alert review
- Ticketing system to track alert response actions
- Regular review meetings to discuss emerging threats
- Integration with vulnerability management processes
Assessment Objective: Assessors verify that your organization monitors relevant security sources and has documented evidence of responding to applicable alerts.
3.14.4: Update Malicious Code Protection Mechanisms When New Releases Are Available
Requirement: Keep anti-malware and security protection tools current by applying updates as they become available.
What This Means:
Malware evolves rapidly, and protection mechanisms must be updated frequently to remain effective:
Updates Include:
- Signature definitions: New virus/malware signatures (typically daily or more frequently)
- Detection engines: Updates to the core scanning technology
- Behavioral rules: New heuristic detection patterns
- Threat intelligence: Updated indicators of compromise (IOCs)
Implementation Methods:
- Automatic updates enabled for antivirus/anti-malware signature definitions
- Scheduled updates for detection engines and software components
- Verification that updates are successfully deploying across all protected systems
- Backup/fallback mechanisms if automatic updates fail
- Documentation of update frequency and verification procedures
Update Frequency:
- Signature definitions: Multiple times daily (automatic)
- Detection engines: As released by vendor (weekly to monthly)
- Major software versions: Tested and deployed per change management process
Common Tools:
- Enterprise antivirus management consoles showing update status
- Endpoint management platforms
- Security Information and Event Management (SIEM) for monitoring update compliance
Assessment Objective: Assessors verify that malicious code protection mechanisms are configured to receive automatic updates and evidence shows current protection across systems.
3.14.5: Perform Periodic Scans of Organizational Systems and Real-Time Scans of Files from External Sources
Requirement: Conduct regular scheduled scans of systems and perform real-time scanning of files as they are accessed, downloaded, or executed.
What This Means:
Periodic Scans: Full system scans weekly/monthly, quick scans daily, on-demand scans as needed.
Real-Time Scans: Scan files immediately when downloaded, received via email, copied from removable media, or accessed by users.
Coverage: All systems that process, store, or transmit CUI. Quarantine detected threats automatically.
Implementation: Enable real-time protection on endpoints, configure scheduled scans, monitor completion, review results, document policies and schedules.
Assessment Objective: Assessors verify scanning is configured, scans complete successfully, real-time protection is active, and results are reviewed.
3.14.6: Monitor Organizational Systems, Including Inbound and Outbound Communications Traffic, to Detect Attacks and Indicators of Potential Attacks
Requirement: Continuously monitor systems and network traffic to detect malicious activity, attacks, and indicators of compromise.
What This Means:
Implement security monitoring capabilities that provide visibility into:
System Monitoring:
- Log collection from servers, workstations, network devices
- Security event correlation and analysis
- User activity monitoring
- Privilege escalation attempts
- System configuration changes
Network Traffic Monitoring:
- Inbound traffic: Detect incoming attacks, port scans, exploit attempts
- Outbound traffic: Identify data exfiltration, command-and-control communications, malware beaconing
- Internal lateral movement: Detect attackers moving between systems
Indicators to Monitor:
- Failed authentication attempts (brute force attacks)
- Unusual network traffic patterns or volumes
- Connections to known malicious IP addresses or domains
- Malware signatures or behavioral patterns
- Privilege escalation or unauthorized access attempts
- Data transfers to unusual destinations
Implementation Methods:
- Security Information and Event Management (SIEM) system for log aggregation and correlation
- Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS)
- Network traffic analysis tools
- Endpoint Detection and Response (EDR) solutions
- Security Operations Center (SOC) or managed security service provider (MSSP) for 24/7 monitoring
Common Tools:
- Splunk, Microsoft Sentinel, or other SIEM platforms
- Suricata, Snort (IDS/IPS)
- Zeek (network security monitoring)
- EDR platforms with threat hunting capabilities
Assessment Objective: Assessors verify that monitoring capabilities are implemented, actively collecting and analyzing security events, and alerts are being investigated and responded to.
3.14.7: Identify Unauthorized Use of Organizational Systems
Requirement: Detect and identify when systems are being used by unauthorized individuals or for unauthorized purposes.
What This Means:
Implement monitoring and detection capabilities that identify:
Unauthorized Users:
- Access from accounts without legitimate need
- Shared account usage
- Access from terminated employees
- Compromised credentials being used by attackers
Unauthorized Activities:
- Systems used outside authorized hours or locations
- Unusual access patterns inconsistent with job role
- Excessive data downloads or unauthorized data access
- Installation of unauthorized software
- Circumvention of security controls
Detection Methods:
- User and Entity Behavior Analytics (UEBA): Baseline normal behavior and alert on anomalies
- Access control logging: Track all system access attempts and compare against authorized users
- Audit log review: Regular review of security logs for suspicious activity
- Failed login monitoring: Multiple failed attempts may indicate credential attacks
- Geographic anomalies: Access from unexpected locations
- Time-based anomalies: Access during unusual hours
Indicators of Unauthorized Use:
- Multiple failed login attempts
- Access from unusual geographic locations
- Access during non-business hours without justification
- Privilege escalation attempts
- Unusual file access or modification patterns
- Use of disabled or deleted accounts
Implementation Methods:
- Enable comprehensive audit logging on all systems
- Implement SIEM correlation rules for unauthorized access patterns
- Deploy User and Entity Behavior Analytics (UEBA) tools
- Establish baseline user behavior profiles
- Regular audit log reviews by security personnel
- Automated alerting for suspicious activities
Response Actions:
- Investigate alerts of potential unauthorized use
- Temporarily disable suspect accounts pending investigation
- Reset credentials if compromise suspected
- Document investigation findings
- Update access controls based on findings
Assessment Objective: Assessors verify that monitoring capabilities can detect unauthorized system use, alerts are investigated, and evidence shows response to unauthorized access attempts.
Implementation Considerations
Integrated Approach: SI controls work with Audit and Accountability (AU), Incident Response (IR), Configuration Management (CM), and Access Control (AC) for comprehensive security.
Technology Requirements:
- Endpoint protection (antivirus, anti-malware, EDR)
- Vulnerability scanning and patch management
- SIEM for log collection and correlation
- Network monitoring (IDS/IPS)
- Security automation tools
Documentation Requirements:
- Vulnerability management policy with timelines
- Malicious code protection policy
- Security monitoring procedures
- Scanning schedules and results
- Alert response documentation
Common Challenges:
- Resource constraints: Consider cloud-based security services or managed providers
- Alert fatigue: Tune detection rules and prioritize critical alerts
- Patching complexity: Use automated patch management and compensating controls for systems that cannot be patched
- Coverage gaps: Implement VPN requirements and mobile device management for remote workers
Assessment Tips:
- 3.14.1: Document vulnerability scans, patch deployment, remediation timelines
- 3.14.2/3.14.4: Show antivirus deployed everywhere, current signatures, designated protection locations
- 3.14.3: Maintain alert sources list, document reviews and actions
- 3.14.5: Provide scan schedules, completion reports, real-time protection evidence
- 3.14.6/3.14.7: Demonstrate monitoring platform, alert investigations, response to suspicious activity
Key Takeaways
- SI protects system integrity through flaw remediation, malware protection, and monitoring
- Seven requirements address vulnerabilities, malicious code, security alerts, scanning, and unauthorized use detection
- Timely action is critical: Flaw remediation must occur within risk-based timeframes
- Multi-layered protection: Combine periodic scanning, real-time protection, and continuous monitoring
- Integration matters: SI works with AU, IR, and CM for comprehensive security
- Documentation required: Policies, procedures, scan results, alert responses, and investigation records
- Tools needed: Antivirus, vulnerability scanners, patch management, SIEM, IDS/IPS, EDR
- All 7 requirements must be MET for CMMC Level 2 Final Status—no POA&Ms allowed for critical SI controls (3.14.1, 3.14.2, 3.14.4, 3.14.5)
System and Information Integrity controls form the foundation of proactive threat detection and response, ensuring that organizations can identify, prevent, and remediate security issues before they result in CUI compromise.
Sources:
- NIST SP 800-171 Revision 2 – System and Information Integrity (3.14)
- NIST SP 800-171A – Assessment Procedures for NIST SP 800-171
- DoD CMMC Assessment Guide – Level 2
- 32 CFR Part 170 – CMMC Program Requirements