SC-35—External Malicious Code Identification
>Control Description
Include system components that proactively seek to identify network-based malicious code or malicious websites.
>Cross-Framework Mappings
NIST CSF 2.0
via NIST CSF 2.0 Concept Crosswalk>Supplemental Guidance
External malicious code identification differs from decoys in SC-26 in that the components actively probe networks, including the Internet, in search of malicious code contained on external websites. Like decoys, the use of external malicious code identification techniques requires some supporting isolation measures to ensure that any malicious code discovered during the search and subsequently executed does not infect organizational systems. Virtualization is a common technique for achieving such isolation.
>Related Controls
>Assessment Interview Topics
Questions assessors commonly ask
Process & Governance:
- •What policies govern the implementation of external malicious code identification?
- •How are system and communications protection requirements defined and maintained?
- •Who is responsible for configuring and maintaining the security controls specified in SC-35?
Technical Implementation:
- •How is external malicious code identification technically implemented in your environment?
- •What systems, tools, or configurations enforce this protection requirement?
- •How do you ensure that external malicious code identification remains effective as the system evolves?
- •What network boundary protections are in place (firewalls, gateways, etc.)?
Evidence & Documentation:
- •What documentation demonstrates the implementation of SC-35?
- •Can you provide configuration evidence or system diagrams showing this protection control?
- •What logs or monitoring data verify that this control is functioning correctly?
- •Can you provide network architecture diagrams and firewall rulesets?
Ask AI
Configure your API key to use AI features.