For a practice to beadequately implementedin aCMMC Level 2 assessment, theresponsible personnel must demonstrate knowledge of deployment, maintenance, and operationof security tools such asantivirus programs. Simply having the tool in place isnot sufficient—there must be evidence that it isproperly configured, updated, and monitoredto protect against threats.
Step-by-Step Breakdown:✅1. Relevant CMMC and NIST SP 800-171 Requirements
CMMC Level 2 aligns with NIST SP 800-171, which includes:
Requirement 3.14.5 (System and Information Integrity - SI-3):
"Employautomatedmechanisms toidentify, report, and correctsystem flaws in a timely manner."
Requirement 3.14.6 (SI-3(2)):
These requirements imply that theperson responsible for antivirus must understand how it is deployed and maintainedto ensure compliance.
✅2. Why the Team Member’s Knowledge is Insufficient
Antivirus tools requireregular updates,configuration adjustments, andmonitoringto function properly.
The responsible team member must:
Knowhow the antivirus was deployedacross systems.
Be able toconfirm updates, logs, and alerts are monitored.
Understand how torespond to malware detectionsand failures.
If the team member lacks this knowledge, assessors maydetermine the practice is not fully implemented.
✅3. Why the Other Answer Choices Are Incorrect:
(A) Yes, the antivirus program is available, so it is sufficient.❌
Incorrect:Just having antivirus softwareinstalleddoes not prove compliance. It must bemanaged and maintained.
(B) Yes, antivirus programs are automated to run independently.❌
Incorrect:While automation helps, security toolsrequire oversight, updates, and configuration.
(D) No, the team member's interview answers about deployment and maintenance are insufficient.❌
Partially correct but incomplete:Themain issueis that the team membermust have sufficient knowledge, not just that their answers are weak.
Final Validation from CMMC Documentation:TheCMMC Assessment Guide for SI-3 and SI-3(2)states that personnel mustunderstand the function, deployment, and maintenance of security toolsto ensure proper implementation.
Thus, the correct answer is:
