03.14.02 — (a) Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code. (b) Update malicious code protection mechanisms as new releases are available in accordance with configuration management policies and procedures. (c) Configure malicious code protection mechanisms to:

What this control requires

(a) Implement malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code. (b) Update malicious code protection mechanisms as new releases are available in accordance with configuration management policies and procedures. (c) Configure malicious code protection mechanisms to:

Source: NIST SP 800-171 R3 §03.14.02 (official control text).

Why this matters

Malware—viruses, ransomware, spyware, and trojans—infiltrates systems through email attachments, downloads, USB drives, and compromised websites. Once inside, it can exfiltrate sensitive data, encrypt files for ransom, create backdoors for attackers, or destroy critical information. This control mandates layered defenses at every network boundary and endpoint, paired with automatic signature updates and behavioral detection, to catch threats before they execute. Without real-time protection and consistent updates, a single infected file can compromise an entire environment, halting operations and exposing controlled unclassified information to adversaries.

What evidence assessors expect

Assessors typically look for: screenshot, configuration export, CSV export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls