CMMC Deep Dive: System and Information Integrity (SI)

This article is part of our series on The 14 CMMC Domains.

The System and Information Integrity (SI) domain ensures that your systems are protected from malware and unauthorized changes, and that you have a process for identifying and fixing security flaws.

Why It Matters

Malware like ransomware can be devastating to an organization. This domain's controls provide the front-line defense against malicious code and ensure you have a process to keep your systems patched and secure.

Key Practices

• SI.L1-3.14.1: Identify, report, and correct system flaws in a timely manner (patch management).
• SI.L1-3.14.2: Provide protection from malicious code (antivirus/anti-malware).
• SI.L1-3.14.5: Perform periodic and real-time scans for malicious code.
• SI.L2-3.14.6: Monitor the system to detect attacks and indicators of potential attacks (IDS/IPS).

What Assessors Look For

• A documented patch management policy and records of applied patches.
• System configurations showing that anti-malware software is deployed and up-to-date.
• Logs from network monitoring tools (IDS/IPS) and evidence of alert review.