Level 5 CMMC - CMMC Practices


Reference: CMMC 1.02

Family: SC

Level Introduced: 4

Employ mechanisms to analyze executable code and scripts (e.g., sandbox) traversing Internet network boundaries or other organizationally defined boundaries.

CMMC Clarification:
The organization shall install systems that automatically analyze executable and mobile code passing through the system boundary (e.g., downloaded from the Internet or other transmission method.) This practice is not focused on email, which is covered in practice SI.3.220. Any executable or mobile code identified as suspicious should be quarantined and not allowed to pass through to the user until confirmed not to be malware or required for a business purposes.

You are the data security manager for the organization. You have learned that staff routinely browse the Internet and download PDF files and executables as part of their work assignments. To ensure the downloaded files do not contain malware, you install a sandbox appliance in the DMZ which checks all downloads for malicious content.

Advanced malicious executable code has become much better at evading signature-based detection and protection capabilities. Sandboxes and other advanced analytics are more advanced defenses that allow the code or script to execute in an isolated, controlled, and instrumented environment to detect signs of malicious activity.

Source: CMMC v1.02



The organization employs a detonation chamber capability within [Assignment: organization-defined information system, system component, or location].

Supplemental Guidance:
Detonation chambers, also known as dynamic execution environments, allow organizations to open email attachments, execute untrusted or suspicious applications, and execute Universal Resource Locator (URL) requests in the safety of an isolated environment or virtualized sandbox. These protected and isolated execution environments provide a means of determining whether the associated attachments/applications contain malicious code. While related to the concept of deception nets, the control is not intended to maintain a long-term environment in which adversaries can operate and their actions can be observed. Rather, it is intended to quickly identify malicious code and reduce the likelihood that the code is propagated to user environments of operation (or prevent such propagation completely). Related controls: SC-7, SC-25, SC-26, SC-30.

Source: NIST Special Publication 800-53 Rev. 4

Source: CMMC v1.02