3.14.4 — Keep Protection Current

What It Says

Update malicious code protection mechanisms when new releases are available.

What It Actually Means

Your endpoint protection — AV/EDR — must stay current. This means both components:

Signatures/definitions — the database of known threats. These update multiple times daily for modern EDR. Automatic updates should be configured and verified. A system with signatures more than 24 hours old is falling behind.

Engine/platform — the detection software itself. Vendors release engine updates less frequently (monthly or quarterly) but they’re equally important. New engine versions include improved behavioral detection, new scanning capabilities, and bug fixes.

The requirement is simple: when the vendor releases an update, your systems apply it. The assessor checks:

Automatic updates are configured. Not manual — automatic. The management console should show auto-update enabled for all managed systems.
Updates are actually applying. Auto-update is configured but is it working? The assessor will check signature dates on CUI systems. If any system is more than a day behind, that’s a gap. Central management console should show the signature version and last update time for every system.
Failures are detected. If an update fails on a system, someone knows about it. The management console should flag systems with outdated protection, and alerting should notify the security team.

This is a companion to 3.14.2 (deploy protection). That requirement says “have it everywhere.” This requirement says “keep it current everywhere.”

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are malicious code protection mechanisms updated when new releases are available?	Auto-update configured; console shows all systems current; signature dates within 24 hours

What to Have Ready on Assessment Day

Documents they’ll review: System and information integrity policy; procedures addressing malicious code protection updates; system security plan; system configuration showing auto-update settings; EDR/AV management console showing update status; records of protection updates

People they’ll talk to: System or network administrators; information security personnel; personnel responsible for malicious code protection

Live demos they’ll ask for: “Show me the update configuration — is it automatic?” “Show me the console — what’s the signature date on each system?” “Are any systems behind? How do you detect that?” “Show me the engine version — is it current?”

The Assessor’s Playbook

These are the actual questions. Have answers ready.

“How frequently are your malware definitions updated? Show me the configuration.”
“Show me the signature version on a CUI workstation — when was it last updated?”
“Show me the management console — are any systems behind on updates?”
“What happens if an update fails? How do you detect it?”
“Are engine updates applied in addition to signature updates?”
“Is there a defined frequency for how quickly updates must be applied?”

A defense contractor uses Microsoft Defender for Endpoint with automatic updates enabled across all CUI systems via Intune. Signatures update from Microsoft’s cloud multiple times daily — no user or admin action required. The Defender portal’s device health page shows the security intelligence version and last update timestamp for every device. A compliance policy in Intune flags any device where the signature version is more than 48 hours old as non-compliant — triggering an alert and blocking access to CUI resources via Conditional Access until the device updates. Engine updates (platform updates) are deployed monthly through the Intune update ring, tested on a pilot group for 48 hours before broad deployment. The assessor checks three random CUI workstations in the Defender portal — all show signatures updated within the last 4 hours and the current engine version. No devices are flagged as non-compliant.

Where Companies Trip Up

Manual updates only. Updates require someone to manually trigger them. On a busy week, nobody does it. Configure automatic updates — this is non-negotiable for modern endpoint protection.

Auto-update configured but failing silently. The setting is on but updates aren’t applying — network issues, proxy problems, or service crashes. Nobody notices because there’s no monitoring. Use the management console to verify update status and alert on systems that fall behind.

Signatures update but engine doesn’t. Definitions refresh daily but the engine version is months old. An old engine may not support new detection techniques even with current signatures. Apply engine updates on a defined schedule.

No compliance enforcement. Systems fall behind on updates but still access CUI resources. Use conditional access or compliance policies to block outdated systems from CUI data until they update.

How to Talk About This

Connected Requirements

Requirement	Why it matters here
3.14.2 — Deploy Anti-Malware	Deploys the protection this requirement keeps current
3.14.5 — Scan Regularly	Periodic scans use the updated signatures maintained here
3.4.2 — Harden Everything	Auto-update configuration is part of the security baseline
3.14.1 — Patch Your Systems	Protection mechanism updates are a form of patching

Implementation

🔒

Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.

Start a conversation →

CMMC Practice ID: SI.L2-3.14.4 | SPRS Weight: 5 points | POA&M Eligible: No