NIST SP 800-171 Rev 2 requirement 3.14.4 mandates that organizations update malicious code protection mechanisms whenever new releases are available. This means antivirus and anti-malware software, including both the scanning engine and the threat signature databases, must be kept current on all covered systems. Updates may include new malware signatures, heuristic detection rules, behavioral analysis patterns, and engine code updates that improve detection accuracy. Organizations must have a defined process for obtaining, testing, and deploying these updates in a timely manner across all endpoints, servers, and other systems that process, store, or transmit Controlled Unclassified Information (CUI). The requirement applies to any mechanism used to detect and respond to malicious code, including traditional signature-based tools and modern endpoint detection and response (EDR) platforms.
Where it stops · what it isn't
- —This practice does NOT govern the initial deployment or selection of malicious code protection tools, which is addressed by SI.L2-3.14.2
- —This practice does NOT cover operating system patches or application security updates, which fall under system flaw remediation (SI.L2-3.14.1)
- —This practice does NOT address the configuration settings or scanning parameters of anti-malware tools, only the currency of the protection mechanisms themselves
- —This practice does NOT mandate a specific update frequency beyond 'when new releases are available,' though organizational policy must define acceptable update intervals
- —This practice does NOT extend to threat intelligence feeds or security information and event management (SIEM) rule updates unless those directly constitute malicious code detection mechanisms
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/system-and-information-integrity