CMMC protection from malicious code

What are Your CMMC Antivirus Requirements?

Companies with CMMC requirements will need to deploy antivirus software to their systems. Here is how to configure your antivirus software to meet your cybersecurity maturity model certification (CMMC) requirements.

Join our newsletter:

CMMC Antivirus Requirements

There are several CMMC practices that explicitly relate to using Antivirus software to protect your systems. These practices are: SI.1.211, SI.1.212, and SI.1.213.
SI.1.211 Provide protection from malicious code at appropriate locations within organizational information systems.
SI.1.212 Update malicious code protection mechanisms when new releases are available.
SI.1.213 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

How to Meet These CMMC Requirements

You need to install Antivirus software on your endpoints and servers (appropriate locations). You need to set your antivirus software to automatically update its signature database when an update is available.
You need to configure your antivirus to automatically run periodic scans (e.g., once a week on Fridays or daily). There is no specific requirement stating that you need to run weekly or daily scans, you are just required to run them periodically.
Your antivirus needs to be capable of automatically scanning files when they are downloaded from the internet. So when you download a file from a website using your browser, your antivirus software needs to be automatically scanned. Unknown files also need to be scanned before they are opened (e.g., a Microsoft word document) or executed (e.g., an exe file).

Additional Recommendations

If financially feasible it is recommended that you use an antivirus software that can be centrally managed. This means that you can install the antivirus software on your systems and deploy the same settings to all of them, preventing users from changing the settings. This also reduces the workload on your personnel as they don't have to configure each system manually.
Do not allow your users to change the settings on their antivirus software. They may turn off features (e.g., periodic scanning) that are important for your meeting CMMC compliance goals.
Another important tip is to avoid using non-U.S. antivirus software. The U.S. government has already cracked down on several including Kaspersky.

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.