NIST 800-53 REV 5 • SYSTEM AND COMMUNICATIONS PROTECTION

SC-35External Malicious Code Identification

Include system components that proactively seek to identify network-based malicious code or malicious websites.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

External malicious code identification differs from decoys in [SC-26](#sc-26) in that the components actively probe networks, including the Internet, in search of malicious code contained on external websites. Like decoys, the use of external malicious code identification techniques requires some supporting isolation measures to ensure that any malicious code discovered during the search and subsequently executed does not infect organizational systems. Virtualization is a common technique for achieving such isolation.

Practitioner Notes

Use external services and threat intelligence to identify malicious code before it reaches your systems — catching threats at the boundary rather than on the endpoint.

Example 1: Subscribe to threat intelligence feeds (CISA AIS, commercial feeds) and integrate them with your email gateway and firewall. Known malicious file hashes, URLs, and IP addresses are automatically blocked before they reach your users.

Example 2: Use a cloud-based sandbox service (like Microsoft Defender for Office 365 Safe Attachments or Palo Alto WildFire) that detonates suspicious files in an isolated environment. If the file exhibits malicious behavior, it is blocked from reaching the user.

More System and Communications Protection Controls

SC-1 Policy and Procedures SC-2 Separation of System and User Functionality SC-2(1) Interfaces for Non-privileged Users SC-2(2) Disassociability