System & Information Integrity (SI) Guide for CMMC 2

Welcome to our comprehensive guide on CMMC System & Information Integrity (SI) for CMMC Level 2 compliance. This resource is tailored for small to medium-sized businesses and DoD contractors. We'll help you with steps to keep your IT systems and data safe and sound, giving you clear instructions and useful tips. We'll also show you what you need to meet the CMMC 2.0 standards.

Keeping your IT systems and data secure and reliable is a big part of CMMC compliance. It's important to protect Controlled Unclassified Information (CUI) to keep your business operations safe. This guide will walk you through critical practices, including CMMC flaw remediation, malicious code protection, vulnerability scanning, implementing periodic system scans, and more. We’ll also cover proactive security measures like Endpoint Detection Response (EDR) CMMC and how to maintain a robust System Security Plan (SSP).

We know it can be difficult to ensure your systems and information stay intact, but it's crucial for your security. For expert guidance on CMMC requirements, book a free consultation with our certified practitioners today.

SI.L1-3.14.1 – CMMC FLAW REMEDIATION

“Identify, report, and correct information and information system flaws in a timely manner.”

Level Of Effort: Medium 

When you spot weaknesses using RA.L2-3.11.2 – VULNERABILITY SCAN, having a way to test patches and updates before using them is key. 

Each company might do this differently, but usually, they try patches with a small group first to check for any problems. After that, if everything looks good, they use them company-wide. It's a good idea to discuss this process with your IT team to decide what works best for your company.

---

SI.L1-3.14.2 – CMMC MALICIOUS CODE PROTECTION

“Provide protection from malicious code at appropriate locations within organizational information systems.”

Level Of Effort: Low

Companies must keep their information systems safe from harmful software like viruses, spyware, and ransomware. The goal is to find these weak points and use tools like antivirus programs and firewalls to stop or reduce the damage from malicious code.

Recommendations:

1. Use EDR and Antivirus Systems: Use both Endpoint Detection and Response (EDR) and antivirus systems. You can choose from options like CrowdStrike, SentinelOne, or Microsoft Defender (~$10-20/computer/month). Microsoft Defender's free version is also a good antivirus.
2. Activate Firewall Virus Scanning: Turn on virus scanning on your firewall by subscribing to security features that offer this. Take screenshots to confirm it's activated.
3. Set up Antivirus Auto-Update: Configure your antivirus to check for updates. Manually check that it's working, and sign up for email alerts from your antivirus vendor for updates.

Evidence: 

• Confirm Deployment: Show documents or screenshots that prove you've deployed antivirus and EDR on all computers in your CMMC environment.
• Firewall Virus Scanning: Include screenshots of your firewall settings, especially the virus scanning activation.
• Confirm Antivirus Auto-Update: Provide a screenshot showing the successful setup of antivirus auto-updates. Also, share an email confirmation from your antivirus vendor for update notifications.

What our clients say

---

SI.L1-3.14.4 – UPDATE MALICIOUS CODE PROTECTION

“Update malicious code protection mechanisms when new releases are available.”

Level Of Effort: None

This should be addressed if you implement all of the recommendations under SI.L1-3.14.2 – MALICIOUS CODE PROTECTION, especially the auto-update feature. 

---

SI.L1-3.14.5 – SYSTEM & FILE SCANNING FOR CMMC

“Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.”

Level Of Effort: Low

This rule highlights the need to scan the whole system often and also scan files that come from outside right away. This is to find and deal with threats like harmful code. By always checking for dangerous files that might get into the system, businesses can get better at protecting themselves against online threats.

Recommendations:

Optimize Antivirus Solution: Work with your IT team to make your antivirus better. We suggest you do these things:

• Daily Quick Scans: Do fast scans every day to find new threats quickly.
• Weekly Full Scans: Check your whole system thoroughly every week.
• Scanning for Inserted/Downloaded Media: Turn on scanning for things like USB drives or downloaded files. Also, take a screenshot of your antivirus settings to show how you've set it up.

Revise System Security Plan (SSP): It's important to update your System Security Plan (SSP) to include details about who or which team checks the antivirus scan reports. Also, explain the steps you'll take if you find security issues during the scans.

Evidence:

1. Verification of Antivirus Configuration: Screenshot of your antivirus settings. This should include your setup for daily quick scans, weekly full scans, and scanning for inserted/downloaded media. This is proof of how you're keeping your cybersecurity strong.
2. Updated System Security Plan (SSP): Give your SSP an updated version. This should explain who handles looking at antivirus scan reports and what actions you'll take for any security problems found. This shows that you're responsible and serious about your cyber security.

---

SI.L2-3.14.3 – CMMC SECURITY ALERTS & ADVISORIES

“Monitor system security alerts and advisories and take action in response.”

Level Of Effort: Low

This section requires businesses to pay attention to security alerts and updates. They need to do this to keep their online safety strong. By knowing about new threats and problems from sources they can trust, businesses can act fast to keep their computer systems safe.

Recommendations:

1. Subscribe to CISA Updates: Sign up for updates from the Cybersecurity & Infrastructure Security Agency (CISA). They are known for giving important news and alerts about cybersecurity. You can subscribe to their updates by going to CISA's Subscription Page.
2. Ask About Threat Intelligence: When thinking about cybersecurity, you should ask your managed security service provider (MSSP) or security operations center (SOC) if they use "threat intelligence" feeds. These feeds give you information about possible threats that could affect your business. Remember to note down the specific feeds your MSSP/SOC is using.

Evidence:

1. Update Your System Security Plan (SSP): Show that your company has signed up for CISA updates. This proves you are serious about staying up-to-date with cybersecurity threats. Make sure your SSP includes a part about your subscription to CISA alerts.
2. Show Proof of Threat Intelligence Feeds: You should have documents that list the threat intelligence feeds your MSSP/SOC uses. This shows you're looking for information on outside threats and are ready to handle issues.

---

SI.L2-3.14.6 – MONITOR COMMUNICATIONS FOR ATTACKS

“Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.”

Level Of Effort: Medium

This rule means that businesses must watch their systems to catch any signs of trouble, both from outside and inside. It's important to pay attention to anything that might suggest an attack. You need to keep an eye on what's happening on the outside (like people trying to break in) and the inside (like employees doing things they shouldn't).

This is especially important if you follow all the suggestions in our Audit and Accountability (AU) article.

What our clients say

SI.L2-3.14.7 – IDENTIFY UNAUTHORIZED USE

“Identify unauthorized use of the information system.”

Level Of Effort: Low

This should be addressed if you implement all of the recommendations in the Audit and Accountability (AU) section.

---

Need Help With Other CMMC Controls? 

• Access Control (AC) Guide
• Awareness And Training (AT) Guide
• Audit and Accountability (AU) Guide
• Configuration Management (CM) Guide
• Identification and Authentication (IA) Guide
• Incident Response (IR) Guide
• Maintenance (MA) Guide
• Media Protection (MP) Guide
• Personnel Security (PS) Guide
• Physical Protection (PE) Guide
• Risk Assessment (RA) Guide
• Security Assessment (CA) Guide
• System and Communications Protection (SC) Guide