← All Domains

SI — System and Information Integrity

new org

SPRS Score: -1203

Objective Progress 0 / 20 (0.0%)
CMMC Practices MET 0 / 7
Domain Score Impact -31

CMMC scoring changes when all assessment objectives for a practice are MET; objective progress updates as each objective is assessed.

SI.L2-3.14.1 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Identify, report, and correct system flaws in a timely manner.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.14.1[a] = Not Yet Assessed; 3.14.1[b] = Not Yet Assessed; 3.14.1[c] = Not Yet Assessed; 3.14.1[d] = Not Yet Assessed; 3.14.1[e] = Not Yet Assessed; 3.14.1[f] = Not Yet Assessed

Assessment Objectives (6)

  • 3.14.1[a]
    Determine if: the time within which to identify system flaws is specified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.14.1[b]
    Determine if: system flaws are identified within the specified time frame.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.14.1[c]
    Determine if: the time within which to report system flaws is specified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.14.1[d]
    Determine if: system flaws are reported within the specified time frame.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.14.1[e]
    Determine if: the time within which to correct system flaws is specified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.14.1[f]
    Determine if: system flaws are corrected within the specified time frame.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and information integrity policy; procedures addressing flaw remediation; procedures addressing configuration management; security plan; list of flaws and vulnerabilities potentially affecting the system; list of recent security flaw remediation actions performed on the system (e.g., list of installed patches, service packs, hot fixes, and other software updates to correct system flaws); test results from the installation of software and firmware updates to correct system flaws; installation/change control records for security-relevant software and firmware updates; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel installing, configuring, and maintaining the system; personnel with responsibility for flaw remediation; personnel with configuration management responsibility].
Test: [SELECT FROM: Organizational processes for identifying, reporting, and correcting system flaws; organizational process for installing software and firmware updates; mechanisms supporting or implementing reporting, and correcting system flaws; mechanisms supporting or implementing testing software and firmware updates].
SI.L2-3.14.2 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Provide protection from malicious code at designated locations within organizational systems.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.14.2[a] = Not Yet Assessed; 3.14.2[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.14.2[a]
    Determine if: designated locations for malicious code protection are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.14.2[b]
    Determine if: protection from malicious code at designated locations is provided.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and information integrity policy; configuration management policy and procedures; procedures addressing malicious code protection; records of malicious code protection updates; malicious code protection mechanisms; security plan; system design documentation; system configuration settings and associated documentation; record of actions initiated by malicious code protection mechanisms in response to malicious code detection; scan results from malicious code protection mechanisms; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel installing, configuring, and maintaining the system; personnel with responsibility for malicious code protection; personnel with configuration management responsibility].
Test: [SELECT FROM: Organizational processes for employing, updating, and configuring malicious code protection mechanisms; organizational process for addressing false positives and resulting potential impact; mechanisms supporting or implementing employing, updating, and configuring malicious code protection mechanisms; mechanisms supporting or implementing malicious code scanning and subsequent actions].
SI.L2-3.14.3 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Monitor system security alerts and advisories and take action in response.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.14.3[a] = Not Yet Assessed; 3.14.3[b] = Not Yet Assessed; 3.14.3[c] = Not Yet Assessed

Assessment Objectives (3)

  • 3.14.3[a]
    Determine if: response actions to system security alerts and advisories are identified.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.14.3[b]
    Determine if: system security alerts and advisories are monitored.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.14.3[c]
    Determine if: actions in response to system security alerts and advisories are taken.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and information integrity policy; procedures addressing security alerts, advisories, and directives; security plan; records of security alerts and advisories; other relevant documents or records].
Interview: [SELECT FROM: Personnel with security alert and advisory responsibilities; personnel implementing, operating, maintaining, and using the system; personnel, organizational elements, and external organizations to whom alerts, advisories, and directives are to be disseminated; system or network administrators; personnel with information security responsibilities].
Test: [SELECT FROM: Organizational processes for defining, receiving, generating, disseminating, and complying with security alerts, advisories, and directives; mechanisms supporting or implementing definition, receipt, generation, and dissemination of security alerts, advisories, and directives; mechanisms supporting or implementing security directives].
SI.L2-3.14.4 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Update malicious code protection mechanisms when new releases are available.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.14.4 = Not Yet Assessed

Assessment Objectives (1)

  • 3.14.4
    Determine if: malicious code protection mechanisms are updated when new releases are available.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and information integrity policy; configuration management policy and procedures; procedures addressing malicious code protection; malicious code protection mechanisms; records of malicious code protection updates; security plan; system design documentation; system configuration settings and associated documentation; scan results from malicious code protection mechanisms; record of actions initiated by malicious code protection mechanisms in response to malicious code detection; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel installing, configuring, and maintaining the system; personnel with responsibility for malicious code protection; personnel with configuration management responsibility].
Test: [SELECT FROM: Organizational processes for employing, updating, and configuring malicious code protection mechanisms; organizational process for addressing false positives and resulting potential impact; mechanisms supporting or implementing malicious code protection mechanisms (including updates and configurations); mechanisms supporting or implementing malicious code scanning and subsequent actions].
SI.L2-3.14.5 DoD Weight: 3 Deduction: -3 Basic
Not Yet Assessed
Requirement: Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.14.5[a] = Not Yet Assessed; 3.14.5[b] = Not Yet Assessed; 3.14.5[c] = Not Yet Assessed

Assessment Objectives (3)

  • 3.14.5[a]
    Determine if: the frequency for malicious code scans is defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.14.5[b]
    Determine if: malicious code scans are performed with the defined frequency.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.14.5[c]
    Determine if: real-time malicious code scans of files from external sources as files are downloaded, opened, or executed are performed.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and information integrity policy; configuration management policy and procedures; procedures addressing malicious code protection; malicious code protection mechanisms; records of malicious code protection updates; security plan; system design documentation; system configuration settings and associated documentation; scan results from malicious code protection mechanisms; record of actions initiated by malicious code protection mechanisms in response to malicious code detection; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel installing, configuring, and maintaining the system; personnel with responsibility for malicious code protection; personnel with configuration management responsibility].
Test: [SELECT FROM: Organizational processes for employing, updating, and configuring malicious code protection mechanisms; organizational process for addressing false positives and resulting potential impact; mechanisms supporting or implementing malicious code protection mechanisms (including updates and configurations); mechanisms supporting or implementing malicious code scanning and subsequent actions].
SI.L2-3.14.6 DoD Weight: 5 Deduction: -5 Basic
Not Yet Assessed
Requirement: Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.14.6[a] = Not Yet Assessed; 3.14.6[b] = Not Yet Assessed; 3.14.6[c] = Not Yet Assessed

Assessment Objectives (3)

  • 3.14.6[a]
    Determine if: the system is monitored to detect attacks and indicators of potential attacks.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.14.6[b]
    Determine if: inbound communications traffic is monitored to detect attacks and indicators of potential attacks.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.14.6[c]
    Determine if: outbound communications traffic is monitored to detect attacks and indicators of potential attacks.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: System and information integrity policy; procedures addressing system monitoring tools and techniques; continuous monitoring strategy; system and information integrity policy; procedures addressing system monitoring tools and techniques; facility diagram or layout; security plan; system design documentation; system monitoring tools and techniques documentation; locations within system where monitoring devices are deployed; system protocols; system configuration settings and associated documentation; system audit logs and records; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel installing, configuring, and maintaining the system; personnel with responsibility monitoring the system; personnel with responsibility for the intrusion detection system].
Test: [SELECT FROM: Organizational processes for system monitoring; mechanisms supporting or implementing intrusion detection capability and system monitoring; mechanisms supporting or implementing system monitoring capability; organizational processes for intrusion detection and system monitoring; mechanisms supporting or implementing the monitoring of inbound and outbound communications traffic].
SI.L2-3.14.7 DoD Weight: 3 Deduction: -3 Basic
Not Yet Assessed
Requirement: Identify unauthorized use of organizational systems.
MET gate: This control cannot be marked MET until every child objective is MET. Blocking objective statuses: 3.14.7[a] = Not Yet Assessed; 3.14.7[b] = Not Yet Assessed

Assessment Objectives (2)

  • 3.14.7[a]
    Determine if: authorized use of the system is defined.
    Update objective finding / evidence
    Not Yet Assessed
  • 3.14.7[b]
    Determine if: unauthorized use of the system is identified.
    Update objective finding / evidence
    Not Yet Assessed
📝 Assessment Methods (Examine / Interview / Test)
Examine: [SELECT FROM: Continuous monitoring strategy; system and information integrity policy; procedures addressing system monitoring tools and techniques; facility diagram/layout; security plan; system design documentation; system monitoring tools and techniques documentation; locations within system where monitoring devices are deployed; system configuration settings and associated documentation; other relevant documents or records].
Interview: [SELECT FROM: System or network administrators; personnel with information security responsibilities; personnel installing, configuring, and maintaining the system; personnel with responsibility for monitoring the system].
Test: [SELECT FROM: Organizational processes for system monitoring; mechanisms supporting or implementing system monitoring capability].