How to Actually Implement CMMC Level 2 System & Information Integrity: A Practitioner's Guide

Patch management is not optional. Define your timelines and demonstrate you're meeting them.

This practice requires identifying, reporting, and correcting information and system flaws in a timely manner. "Timely" is not defined by the practice; it is defined by your organization in policy and demonstrated through patch compliance data.

What "timely" looks like in practice:

• Critical vulnerabilities (CVSS 9.0+) and CISA KEV items: 15 days is the widely accepted standard. CISA's BOD 22-01 requires federal agencies to remediate KEV items within defined windows; defense contractors are not bound by BOD 22-01, but using it as a benchmark is defensible
• High-severity vulnerabilities (CVSS 7.0–8.9): 30 days
• Medium-severity vulnerabilities (CVSS 4.0–6.9): 90 days
• Low-severity vulnerabilities: Next scheduled maintenance window or as resources allow, with a maximum of 180 days

Whatever timelines you define, document them in your SI policy and measure against them. Patch compliance below 95% for critical vulnerabilities at the 15-day mark will draw assessment scrutiny.

Implementation tools and process:

• Windows Update / WSUS / Intune: For Windows environments, Microsoft Intune (via Microsoft 365 Business Premium or equivalent) provides centralized patch deployment and compliance reporting across all enrolled devices. WSUS is the on-premises alternative. Configure automatic deployment of security updates and review compliance reports weekly
• Third-party applications: Operating system patches are not enough. Chrome, Adobe Reader, Java, and other third-party applications are frequent exploit targets. Use Intune Win32 app management, PDQ Deploy, or a similar tool to manage third-party patching
• Patch compliance reporting: Generate and retain patch compliance reports showing what percentage of in-scope systems are current, which systems have outstanding critical patches, and how long they have been outstanding. These reports are assessment evidence
• Exception process: Some patches cannot be applied immediately (incompatibility, operational windows, vendor testing requirements). Document exceptions: which patch, which system, why it can't be applied, what compensating control is in place, and when it will be resolved. Undocumented exceptions look like missing patches to an assessor

Common mistake: Managing operating system patches through Windows Update but having no visibility or process for third-party application patching. In many breach post-mortems, the exploited vulnerability was in a browser, PDF reader, or office suite, not the OS.

Malware protection must be deployed on all in-scope systems, not just workstations.

This practice requires providing protection from malicious code at appropriate locations within organizational systems. "Appropriate locations" means wherever malicious code could enter or execute: endpoints, servers, email gateways, and web proxies.

Implementation:

• Endpoints: Deploy endpoint protection on every in-scope workstation and laptop. Microsoft Defender Antivirus is included with Windows and satisfies the baseline requirement when properly configured. Defender for Endpoint (included in M365 Business Premium) adds EDR capabilities that address 3.14.6 and 3.14.7 as well
• Servers: Endpoint protection on servers is also required. Servers in your CUI environment must have antivirus deployed. Windows Server includes Microsoft Defender; enable and configure it the same as workstations
• Email: Email is the primary malware delivery vector. Microsoft Defender for Office 365 (Plan 1 or Plan 2) provides anti-malware scanning of email attachments and links. Enable Safe Attachments and Safe Links policies in the Microsoft 365 security portal
• Web filtering: A DNS filtering or web proxy layer that blocks known malware distribution sites provides defense-in-depth for malware arriving via web browsing. Microsoft Defender SmartScreen, Cisco Umbrella, and Zscaler are common options
• Maintain an inventory of systems with endpoint protection deployed and a compliance report showing protection status. Coverage gaps (systems without active protection) are direct findings

Common mistake: Deploying endpoint protection but leaving servers unmanaged. A file server that CUI passes through is an "appropriate location" for malware protection. A server that is compromised and used to serve malware to workstations that connect to it is a failure of this practice.

Someone needs to be watching for new threats and acting when relevant ones emerge.

This practice requires monitoring system security alerts and advisories and taking action in response. It is an intelligence-gathering and response practice: the organization must have a mechanism to receive security information and must act on it when relevant to in-scope systems.

Sources to monitor:

• CISA alerts and advisories (cisa.gov/news-events/cybersecurity-advisories): CISA publishes advisories for actively exploited vulnerabilities and threat actor activity. Subscribe to CISA email alerts at no cost. When CISA publishes an advisory about a product you use, review it and take action if applicable
• CISA Known Exploited Vulnerabilities (KEV) catalog: The KEV catalog is updated as new vulnerabilities are confirmed to be exploited in the wild. Subscribe to KEV updates and treat any KEV entry affecting your systems as a high-priority patch item, regardless of CVSS score
• Microsoft Security Update Guide (msrc.microsoft.com): For Microsoft environments, review the monthly Patch Tuesday release to understand what vulnerabilities are being patched and their severity
• Vendor security advisories: Any vendor whose software processes CUI should have their security advisory feed monitored. Most vendors provide RSS feeds, mailing lists, or security bulletin pages

What "taking action" looks like:

• Document your monitoring process: who is responsible, what sources are monitored, how often, and what the response process is when a relevant advisory is received
• When an advisory is received that affects in-scope systems, create a ticket or task, assess impact, and track remediation to closure. The ticket or task is your evidence of action
• Include advisory monitoring in your patch management process. A CISA KEV entry for a product you run should trigger immediate patch prioritization, not wait for the next scheduled maintenance window

Common mistake: Having no documented process for advisory monitoring and no evidence of action. "We check the news" is not a process. A named individual, a defined set of sources, a check-in cadence, and a record of advisories reviewed and actioned is what an assessor is looking for.

Definitions must be current. Scans must happen on a schedule and on file access.

Practice 3.14.4 requires updating malicious code protection mechanisms when new releases are available. Practice 3.14.5 requires periodic scans of the system and real-time scans of files from external sources as they are downloaded, opened, or executed.

Definition update implementation (3.14.4):

• Configure endpoint protection to update definitions automatically, multiple times per day. Microsoft Defender updates definitions via Windows Update and Microsoft Update; verify this is not blocked by WSUS configuration or proxy settings
• Generate definition currency reports and review them. A system that has not updated definitions in more than 24 hours should generate an alert. Systems with definitions more than 7 days out of date are a direct finding
• For systems that are frequently offline (field laptops, operational technology systems), document how definition updates are applied when those systems reconnect to the network

Scan implementation (3.14.5):

• Real-time (on-access) scanning: Enable real-time protection in your endpoint protection configuration. This triggers scanning when files are created, opened, or executed. Microsoft Defender's real-time protection should be enabled and not excluded for in-scope directories
• Periodic scans: Configure scheduled full system scans. Weekly quick scans and monthly full scans are a defensible baseline. The scan schedule should be documented in your SI policy
• Files from external sources: Files downloaded from the internet, received via email, or copied from removable media should be scanned at the point of receipt. Real-time scanning handles this if properly configured, but verify that email attachments (via Defender for Office 365) and removable media (via endpoint protection policy) are covered
• Maintain scan reports as evidence. Intune and Defender for Endpoint provide device compliance reports that include protection status and scan history

Common mistake: Scan exclusions that are too broad. IT staff often add performance-related exclusions to antivirus (exclude the entire program files directory, exclude all SQL Server files, etc.). Broad exclusions can create blind spots exactly where malware is likely to execute. Review exclusions and limit them to specific, justified paths.

Passive protection is not enough. You need active monitoring for attack activity on your systems and network.

This practice requires monitoring organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks. It goes beyond malware scanning to require active monitoring for attacker behavior patterns.

What to monitor:

• Endpoint behavioral activity: Process execution patterns that indicate attacker tools (PowerShell with encoded commands, LSASS memory access, unusual scheduled task creation, lateral movement via PsExec or WMI). EDR tools like Microsoft Defender for Endpoint, CrowdStrike, or Huntress monitor these at the endpoint level
• Network traffic: Unusual outbound connections to unknown external IP addresses, DNS queries for unusual domains, large outbound data transfers, or connections over non-standard ports. Network monitoring can be implemented with a NGFW with logging, a network detection and response (NDR) tool, or DNS filtering with logging
• Authentication anomalies: Multiple failed login attempts followed by a success (brute force), logins at unusual hours, logins from geographically improbable locations. SIEM correlation rules on authentication logs from Entra ID and on-premises AD detect these patterns
• Log-based indicators: Changes to security policies, new privileged account creation, clearing of event logs, and changes to registry Run keys are all indicators of compromise or attacker activity that appear in system logs

Implementation:

• Microsoft Defender for Endpoint (MDE) provides EDR-grade behavioral monitoring at the endpoint level and generates alerts for known attack techniques mapped to the MITRE ATT&CK framework
• Microsoft Sentinel can ingest signals from MDE, Entra ID, Defender for Office 365, and network devices, and apply analytics rules to correlate them into actionable alerts
• Huntress is a managed detection and response (MDR) service popular with MSP-managed small contractors; it provides 24/7 SOC coverage over MDE telemetry at a price point accessible for small organizations
• Define and document your alert review process: who reviews alerts, how often, what the escalation path is, and how alerts are tracked to resolution

Common mistake: Having EDR deployed but no process for reviewing and responding to alerts. MDE and similar tools generate alerts continuously. An alert dashboard with 500 unreviewed alerts is not a monitoring program. Define a triage process and track alert closure.

Legitimate users do predictable things. Unusual behavior should trigger investigation.

This practice requires identifying unauthorized use of organizational systems. Where 3.14.6 focuses on detecting attack techniques, 3.14.7 focuses on detecting misuse, including by insiders or compromised legitimate accounts.

What unauthorized use looks like:

• A user accessing CUI repositories or file shares they have never accessed before
• Bulk download or bulk copy of CUI to personal cloud storage or removable media
• Use of administrative tools or privileges by a standard user account
• Remote access at unusual hours or from unusual locations
• New software installed outside the approved software list (see CM 3.4.8)
• Account activity after the employee has been terminated or transferred

Implementation:

• Baseline normal activity: To identify unauthorized use, you need to know what authorized use looks like. SIEM user and entity behavior analytics (UEBA) tools can establish baselines and alert on deviations. Microsoft Sentinel includes basic UEBA capabilities in the standard tier
• User activity monitoring via audit logs: File access auditing on CUI repositories (implemented in the AU domain) provides the data needed to identify bulk access or unusual file access patterns
• DLP (Data Loss Prevention): Microsoft Purview Information Protection can detect and alert on bulk file downloads, CUI being sent to personal email, or CUI copied to USB drives. DLP policies are configured in the Microsoft 365 compliance portal
• Privileged access monitoring: Configure alerts for use of privileged accounts outside of normal administrative windows, or for privilege escalation events (a standard user suddenly using an admin account)
• Define what "unauthorized use" means in your SI policy and document the monitoring mechanisms that detect it. Assessors will ask specifically how the organization would detect an insider threat or a compromised account performing unauthorized actions

Common mistake: Conflating "preventing" unauthorized use (access controls) with "identifying" it (monitoring). Practice 3.14.7 is specifically about detection after the fact, not prevention. Even if access controls are strong, the practice requires a detection capability for when those controls fail or are circumvented.