SI.L2-3.14.5 requires organizations to perform periodic scans of their information systems using malicious code protection mechanisms at an organizationally defined frequency, and to conduct real-time scans of files sourced from external networks, media, or services as those files are downloaded, opened, or executed. Grounded in NIST SP 800-171 Rev 2 requirement 3.14.5, this practice extends the baseline malicious code protection established by 3.14.2 by adding both scheduled and on-access scanning dimensions. The periodic scan component demands that a documented scan schedule exists and is actively followed, while the real-time component demands that on-access or on-execute scanning is enabled and cannot be bypassed. Together, these controls reduce the window of opportunity for malicious code to persist undetected on organizational systems. The practice applies to workstations, servers, mobile devices, and any endpoint capable of receiving or executing files from external sources.
Where it stops · what it isn't
- —This practice does not govern the configuration or updating of malicious code signature databases — that is addressed by SI.L2-3.14.2.
- —This practice does not require network-level intrusion detection or deep packet inspection, which fall under system monitoring controls.
- —This practice does not address the response actions taken after malicious code is detected — incident response procedures are covered separately under IR domain controls.
- —This practice does not mandate scanning of purely internal file transfers between systems already protected by endpoint agents, though best practice recommends it.
- —This practice does not define what constitutes 'external sources' at the technical level — the organization must define and document this boundary in its system security plan.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.