System And Communications Protection
Employ mechanisms to analyze executable code and scripts (e.g., sandbox) traversing Internet network boundaries or other organizationally defined boundaries.
The organization shall install systems that automatically analyze executable and mobile code passing through the system boundary (e.g., downloaded from the Internet or other transmission method.) This practice is not focused on email, which is covered in practice SI.3.220. Any executable or mobile code identified as suspicious should be quarantined and not allowed to pass through to the user until confirmed not to be malware or required for a business purposes. Example You are the data security manager for the organization. You have learned that staff routinely browse the Internet and download PDF files and executables as part of their work assignments. To ensure the downloaded files do not contain malware, you install a sandbox appliance in the DMZ which checks all downloads for malicious content.
CMMC Advanced malicious executable code has become much better at evading signature-based detection and protection capabilities. Sandboxes and other advanced analytics are more advanced defenses that allow the code or script to execute in an isolated, controlled, and instrumented environment to detect signs of malicious activity.