Back to Control Explorer



Control Acronym



System And Communications Protection

CMMC Level


800-171 Control #


CMMC Description

Employ mechanisms to analyze executable code and scripts (e.g., sandbox) traversing Internet network boundaries or other organizationally defined boundaries.

CMMC Clarification

The organization shall install systems that automatically analyze executable and mobile code passing through the system boundary (e.g., downloaded from the Internet or other transmission method.) This practice is not focused on email, which is covered in practice SI.3.220. Any executable or mobile code identified as suspicious should be quarantined and not allowed to pass through to the user until confirmed not to be malware or required for a business purposes. Example You are the data security manager for the organization. You have learned that staff routinely browse the Internet and download PDF files and executables as part of their work assignments. To ensure the downloaded files do not contain malware, you install a sandbox appliance in the DMZ which checks all downloads for malicious content.

800-171 Description

800-171 Discussion


Other Source Discussion

CMMC Advanced malicious executable code has become much better at evading signature-based detection and protection capabilities. Sandboxes and other advanced analytics are more advanced defenses that allow the code or script to execute in an isolated, controlled, and instrumented environment to detect signs of malicious activity.

CIS Control References

NIST 800-53 Control Ref.

CMMC Derived

NIST CSF Control References

NIST 800-171 References

Applicable FAR Clause

NIST CSF Control Reference

CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

Assessment Sub-Criteria 2

Assessment Sub-Criteria 3

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15