📢 New post: Is It Even in Your Boundary? CVE-2026-0257 and the Question a KEV Clock Asks First · 📝 Also fresh: 20x Is Permanent Now: The Rehearsal's Over, the Rules Land in June · 🚦 Beacon — the FedRAMP 20x KSI emitter — design partners open ✨ · 🆕 20x Hub: program reference, kept current · 🧪 Free tool: KSI Quick Check — paste, run, get the verdict

FedRAMP Controls / SI

SI-3 Malicious Code Protection

Family SI
Baselines moderate
Mapped KSIs 5

Control statement

a. Implement {{ insert: param, si-03_odp.01 }} malicious code protection mechanisms at system entry and exit points to detect and eradicate malicious code;
    b. Automatically update malicious code protection mechanisms as new releases are available in accordance with organizational configuration management policy and procedures;
    c. Configure malicious code protection mechanisms to:
        1. Perform periodic scans of the system {{ insert: param, si-03_odp.02 }} and real-time scans of files from external sources at {{ insert: param, si-03_odp.03 }} as the files are downloaded, opened, or executed in accordance with organizational policy; and
        2.  {{ insert: param, si-03_odp.04 }} ; and send alert to {{ insert: param, si-03_odp.06 }} in response to malicious code detection; and
    d. Address the receipt of false positives during malicious code detection and eradication and the resulting potential impact on the availability of the system.

Parameter placeholders {{ insert: param, … }} reference FedRAMP-set values in the resolved profile. Full parameter map is preserved in the catalog database.

Covered by these Key Security Indicators

KSITitleCategory
KSI-AFR-04Vulnerability Detection and Response
Document the vulnerability detection and vulnerability response methodology used within the cloud service offering in alignment with the FedRAMP Vulnerability Detection and Response (VDR) process and persistently address all related requirements and recommendations.
Authorization by FedRAMP
KSI-AFR-05Significant Change Notifications
Determine how significant changes will be tracked and how all necessary parties will be notified in alignment with the FedRAMP Significant Change Notifications (SCN) process and persistently address all related requirements and recommendations.
Authorization by FedRAMP
KSI-CMT-02Redeployment
Execute changes to _machine-based_ _information resources_ through redeployment of version controlled immutable resources rather than direct modification wherever possible.
Change Management
KSI-CNA-04Immutable Infrastructure
Use immutable infrastructure with strictly defined functionality and privileges by default.
Cloud Native Architecture
KSI-IAM-05Least Privilege
_Persistently_ ensure that identity and access management employs measures to ensure each user or device can only access the resources they need.
Identity and Access Management