Requirement
FAR 52.204-21 / CMMC 2.0 Level 1 - Control - SI.L1-B.1.XIV – Update malicious code protection mechanisms when new releases are available.
Understanding the Requirement
This control requires that an organization keeps its malicious code protection—typically anti-malware/anti-virus signature databases and detection engines—current so new threats can be detected and blocked. The objective is straightforward: ensure malware protection mechanisms are updated when new releases become available so the protections remain effective against rapidly evolving malware. This obligation is part of the FAR 52.204-21 / CMMC 2.0 Level 1 expectations for basic cyber hygiene. Practically, it means configuring software to receive and apply updates on a schedule or automatically, and verifying those updates are occurring.
Technical Implementation
- Enable automatic updates: Configure endpoint anti-malware and server protection tools to apply engine and signature updates automatically. Use vendor settings that push updates as soon as they're released or at a frequent recurring interval (e.g., hourly or daily). For SMBs, automatic updates reduce manual effort and the window of exposure.
- Set a predictable update schedule and fallback: For environments that must control network traffic, schedule recurring updates during a low-impact time (for example, daily at 08:00). Maintain a local update cache or mirror (if supported by the vendor) so endpoints can update even if internet access is limited.
- Centralize management and monitoring: Use a management console (cloud-based or on-prem) to view update status across all endpoints. Configure alerts for failed updates or devices that haven’t updated within a defined period (24–48 hours). Assign responsibility to a system/network administrator to investigate and remediate exceptions.
- Enforce policy and baseline configuration: Create a short written policy that mandates update behavior (auto-update enabled, update frequency, exception handling) and include it in your basic cybersecurity guidelines. Apply baseline configurations using endpoint management tools (MDM, GPOs, or the vendor's agent) so new devices are compliant out of the box.
- Validate and test updates: Periodically verify that updates are being applied and that signature databases are current—run a sample of endpoints weekly and maintain logs for auditing. Test vendor updates in a small, controlled group if your environment has critical applications that might be affected, then roll out broadly.
- Prepare for offline and emergency scenarios: When endpoints operate offline or in air-gapped segments, export update packages or keep an internal update repository. Keep procedures to manually apply updates and record those actions to demonstrate compliance.
Example in a Small or Medium Business
A 35-person marketing agency assigns its IT lead, Alice, to manage endpoint security. She installs a reputable anti-malware product on all laptops and the file server and enrolls every device in the vendor’s cloud management console. Alice configures automatic updates with hourly signature downloads and sets a daily integrity check at 08:00 to confirm databases are current. She also enables console alerts that email her if any device misses two consecutive updates. For employees who travel and may be offline, Alice configures a local update cache on the office file server so devices reconnecting to the network get caught up. Each week she reviews the management console to spot failed updates and documents corrective actions. The agency's written security baseline requires automatic signature updates and assigns update monitoring to Alice, so the company can show auditors and customers that malicious code protections are kept current.
Summary
Keeping malicious code protection mechanisms updated is a practical, low-cost control that significantly reduces exposure to new malware. For SMBs, combining vendor-supported automatic updates, a clear update schedule, centralized monitoring, and a short policy that assigns responsibility creates a reliable system for staying current. Validate updates regularly, provide offline update options, and document exceptions so you can demonstrate the control is working. These policy and technical measures together satisfy the requirement to update malicious code protection when new releases are available.
