An error occurred:

© 2025 Xylok, LLC

Version: releases-v2025.10.2 - rmfrev5

Navigate

SI-3(6)

SI-3(6): Testing and Verification

(a): Test malicious code protection mechanisms [the frequency at which to test malicious code protection mechanisms is defined;] by introducing known benign code into the system; and

(b): Verify that the detection of the code and the associated incident reporting occur.

Supplemental

None.

CIA Levels
Confidentiality	unknown
Integrity	unknown
Availability	unknown

Overlays
None

CSF Categories
None

Related Controls

The controls below (if any) were marked by NIST as being related to SI-3(6).

Control	Description
CA-2	a: Select the appropriate assessor or assessment team for the type of assessment to be conducted; b: Develop a control assessment plan that describes the scope of the assessment including: 1: Controls and control enhancements under assessment; 2: Assessment procedures to be used to determine control effectiveness; and 3: Assessment environment, assessment team, and assessment roles and responsibilities; c: Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment; d: Assess the controls in the system and its environment of operation [the frequency at which to assess controls in the system and its environment of operation is defined;] to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements; e: Produce a control assessment report that document the results of the assessment; and f: Provide the results of the control assessment to [individuals or roles to whom control assessment results are to be provided are defined;].
CA-7	Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes: a: Establishing the following system-level metrics to be monitored: [system-level metrics to be monitored are defined;]; b: Establishing [frequencies at which to monitor control effectiveness are defined;] for monitoring and [frequencies at which to assess control effectiveness are defined;] for assessment of control effectiveness; c: Ongoing control assessments in accordance with the continuous monitoring strategy; d: Ongoing monitoring of system and organization-defined metrics in accordance with the continuous monitoring strategy; e: Correlation and analysis of information generated by control assessments and monitoring; f: Response actions to address results of the analysis of control assessment and monitoring information; and g: Reporting the security and privacy status of the system to [one of ] [one of ].
RA-5	a: Monitor and scan for vulnerabilities in the system and hosted applications [one of ] and when new vulnerabilities potentially affecting the system are identified and reported; b: Employ vulnerability monitoring tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for: 1: Enumerating platforms, software flaws, and improper configurations; 2: Formatting checklists and test procedures; and 3: Measuring vulnerability impact; c: Analyze vulnerability scan reports and results from vulnerability monitoring; d: Remediate legitimate vulnerabilities [response times to remediate legitimate vulnerabilities in accordance with an organizational assessment of risk are defined;] in accordance with an organizational assessment of risk; e: Share information obtained from the vulnerability monitoring process and control assessments with [personnel or roles with whom information obtained from the vulnerability scanning process and control assessments is to be shared;] to help eliminate similar vulnerabilities in other systems; and f: Employ vulnerability monitoring tools that include the capability to readily update the vulnerabilities to be scanned.

Enhancements

The controls below (if any) add on to the requirements of SI-3(6).

Control	Description
No controls

Related CCIs

The CCIs below are tied to SI-3(6).

CCI	Definition
CCI-001251	Test malicious code protection mechanisms on an organization-defined frequency by introducing a known benign code into the system.
CCI-001669	Defines the frequency of testing malicious code protection mechanisms.
CCI-002625	When testing malicious code protection mechanisms, verify the detection of the code.
CCI-002626	When testing malicious code protection mechanisms, verify the associated incident reporting of the code occurs.