Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - SI.L2-3.14.4 – Update malicious code protection mechanisms when new releases are available.
Understanding the Requirement
This control (from NIST SP 800-171 REV.2 / CMMC 2.0 Level 2) requires organizations to keep their malicious code protection mechanisms current so detection and prevention remain effective. In practice this means anti-malware signatures, heuristics, detection rules and related engine updates must be applied regularly and promptly because malware changes frequently; an outdated signature database cannot detect new threats. The objective is to ensure protection mechanisms are updated whenever new releases are available and to maintain continuous effectiveness of anti-malware defenses.
Technical Implementation
- Enable automatic updates: Configure endpoint protection and server anti-malware agents to automatically retrieve and install signature and engine updates. Use vendor-recommended settings so updates are applied as soon as they're released, with retries on transient failures.
- Schedule regular verification and offline update windows: For systems that cannot have always-on updates, schedule periodic update windows (for example daily at 08:00) and implement a documented process for offline or manual update distribution to isolated hosts.
- Centralize management and reporting: Deploy a management console (cloud or on-prem) to monitor update status across endpoints and servers. Configure dashboards and automated alerts for failed updates or endpoints that fall behind defined baselines.
- Validate update integrity and source: Enforce secure update delivery (signed packages, TLS) and restrict update sources to vendor endpoints or vetted internal repositories. Use code-signature checks and firewall rules to prevent update spoofing.
- Document and test rollback and exception procedures: Maintain a change-control process for updates that cause functional issues. Test updates in a small pilot group before wide deployment and keep a rollback plan for urgent remediation.
- Monitor and measure effectiveness: Log update events, correlate with detections, and review metrics (time-to-update, percent of assets current). Conduct periodic reviews with system/network administrators and security staff to tune schedules and policies.
Example in a Small or Medium Business
Acme Design Co., a 45-person firm, selected a managed endpoint protection platform that includes centralized update management. The IT lead configured automatic signature updates to occur continuously and scheduled a full integrity check daily at 08:00 so any missed updates are caught early. A management console shows each workstation and server update status; devices that haven't connected in 24 hours generate an alert sent to the system administrator and the security lead. For contractors working remotely, the company requires VPN or a secure update proxy so updates come from vetted sources and are integrity-checked. Before applying major engine updates, Acme pilots them on 5 workstations for 48 hours to detect compatibility issues with specialist design software; if problems occur they use the documented rollback process and escalate to the vendor. Monthly reviews combine update logs and detection metrics to decide whether to tighten schedules (for example move from daily to hourly signature polling) or adjust exception handling. Training for employees explains why automatic updates are required and who to contact when antivirus prompts appear, reducing delayed installs from user action or confusion.
Summary
Keeping malicious code protection mechanisms updated is a mix of policy, automation and monitoring: enable automatic and scheduled updates, centralize management and reporting, validate update integrity, and maintain tested rollback procedures. For SMBs these steps create a reliable, low-overhead process that ensures signatures and engines remain current, reduces windows of exposure to new malware, and provides measurable controls you can review with system/network administrators and security staff.
