Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - SI.L2-3.14.2 – Provide protection from malicious code at appropriate locations within organizational information systems.
Understanding the Requirement
This control requires you to identify the places in your IT environment where malicious code can enter or run, and to deploy protections at those locations so malware is detected, blocked, or removed. This control is part of NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 and focuses on covering endpoints, servers, gateways, and other likely infection points with anti-malware tools, complemented by processes for updating, monitoring, and responding to detections.
Technical Implementation
- Inventory and designated locations: Create and maintain a simple inventory of all endpoints (workstations, laptops, servers, mobile devices), network gateways (firewalls, email gateways, web proxies), and removable-media points. Use that list to define where anti-malware must be installed and where network-level detection must run.
- Deploy endpoint anti-malware with centralized management: Install a reputable anti-malware/EDR agent on every managed workstation and server. Use a centralized console to push signature and engine updates, enforce real-time scanning, schedule full scans, and collect alerts. For SMBs, select a managed/cloud console to avoid maintaining complex infrastructure.
- Layer network protections: Configure your email gateway and web proxy/firewall to perform malware scanning and block known-bad attachments, links, and file types. Where available, enable sandboxing for suspicious attachments and enable malware inspection on VPN concentrators and remote access gateways to protect remote users.
- Protect mobile and removable media: Use mobile device management (MDM) to enforce anti-malware or device controls on corporate mobile devices and require disk encryption. Implement scanning of removable media at endpoints or disallow use per policy; if allowed, enforce automatic scanning on insertion and block autorun.
- Maintenance, updates, and tuning: Automate signature and engine updates and ensure the console notifies IT of failed updates. Tune detection thresholds to reduce false positives and document whitelisting procedures for business-critical apps. Schedule periodic signature and definition validation tests to confirm updates are applied.
- Logging, monitoring, and response: Forward anti-malware alerts to a centralized log or SIEM and define simple alerting rules for high-severity detections. Establish an incident handling playbook with steps to isolate infected systems, preserve evidence, clean or rebuild hosts, and notify stakeholders. Track metrics like detection counts and time-to-remediation.
Example in a Small or Medium Business
Maria manages IT for a 60-person engineering firm. She starts by creating an inventory of all company devices and identifies endpoints, two file servers, the email gateway, and a cloud backup appliance as critical locations. Maria deploys an enterprise anti-malware agent across all Windows and macOS workstations and servers using the vendor's cloud management console so updates and alerts are centrally visible. She configures the company's email gateway to block executable attachments and to scan Office documents for macros and embedded threats, and enables web filtering to stop downloads from high-risk sites. For remote employees, Maria requires the company VPN and enforces device checks before allowing access, while mobile devices are enrolled in MDM with enforced passcode and remote wipe. She sets up daily signature updates, schedules weekly full scans for servers, and creates an incident checklist that instructs the help desk to isolate affected hosts and escalate severe detections to her. Over the first month, the team tunes exclusions for a few development tools and documents changes so they won't be lost when onboarding new devices.
Summary
Combining policy (inventory, designated protection points, and incident procedures) with technical controls (endpoint anti-malware/EDR, network scanning at gateways, MDM for mobiles, automated updates, and centralized monitoring) gives SMBs practical coverage against malicious code. These measures reduce infection pathways, speed detection, and ensure consistent, auditable responses—helping you meet the requirement to provide protection from malicious code at appropriate locations in your environment.
