3.14.3

Requirement

a. Receive system security alerts, advisories, and directives from external organizations on an ongoing basis.
b. Generate and disseminate internal system security alerts, advisories, and directives, as necessary.

Discussion

There are many publicly available sources of system security alerts and advisories. The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the National Security Agency (NSA), and the Federal Bureau of Investigation (FBI) generate security alerts and advisories to maintain situational awareness across the Federal Government and in nonfederal organizations. Software vendors, subscription services, and industry Information Sharing and Analysis Centers (ISACs) may also provide security alerts and advisories. Compliance with security directives is essential due to the critical nature of many of these directives and the potential immediate adverse effects on organizational operations and assets, individuals, other organizations, and the Nation should the directives not be implemented in a timely manner.

NIST 800-171A r3 Assessment Guidance

Examine

[SELECT FROM: system and information integrity policy and procedures; configuration management policy and procedures; procedures for malicious code protection; records of malicious code protection updates; system design documentation; system configuration settings; scan results from malicious code protection mechanisms; record of actions initiated by malicious code protection mechanisms in response to malicious code detection; system audit records; system security plan; other relevant documents or records]
Interview

[SELECT FROM: processes for employing, updating, and configuring malicious code protection mechanisms; processes for addressing the detection of false positives and resulting potential impacts; mechanisms for supporting or implementing, employing, updating, and configuring malicious code protection mechanisms; mechanisms for supporting or implementing malicious code scanning and the execution of subsequent actions]
Test

[SELECT FROM: personnel responsible for malicious code protection; personnel with system installation, configuration, or maintenance responsibilities; personnel with information security responsibilities; system administrators]

ID	Assessment Objectives
A.03.14.03.a	system security alerts, advisories, and directives from external organizations are received on an ongoing basis.
A.03.14.03.b[01]	internal security alerts, advisories, and directives are generated, as necessary.
A.03.14.03.b[02]	internal security alerts, advisories, and directives are disseminated, as necessary.

Our CMMC Overview Course simplifies CMMC. Enroll so you can make informed decisions!