This post gives small federal contractors a practical, low-cost blueprint to meet the malicious code protection expectations in FAR 52.204-21 and CMMC 2.0 Level 1 (Control SI.L1-B.1.XIII) — with step-by-step technical recommendations, documentation artifacts you can collect for audits, and real-world examples you can apply today.
What the requirement means in practice
At a practical level this control requires you to prevent, detect, and respond to malware (viruses, trojans, ransomware, worms, etc.) on any information system processing controlled or sensitive information. For small contractors that typically means ensuring endpoints, servers, and portable media have active malicious code protections, routine scanning, and a documented process for handling detections. You don't need enterprise-grade SOCs to comply — you need consistent, demonstrable controls that reduce malware risk to an acceptable level and provide evidence of implementation.
Low-cost technical controls — core implementation steps
Start with defenses-in-depth that are inexpensive or already bundled with your OS or productivity suites: enable built-in endpoint protection (Windows Defender / Microsoft Defender for Business, macOS XProtect + Gatekeeper, ClamAV for Linux), enforce automatic updates for OS and AV signatures, configure scheduled full-system scans (daily or at minimum weekly), and enable real-time/behavioral protection. Where possible use centrally managed settings (Group Policy, Intune, or the vendor's cloud console) so you can produce standardized screenshots and logs for evidence.
Windows-focused, practical commands and settings
For many small businesses Windows is the primary endpoint. Use Microsoft Defender features to meet requirements at near-zero additional cost: enable Real-Time Protection, Cloud-delivered protection, Automatic sample submission, and PUA (Potentially Unwanted Application) protection. Example PowerShell to set recommended preferences on a Windows 10/11 machine:
Set-MpPreference -DisableRealtimeMonitoring $false -DisableBehaviorMonitoring $false -SubmitSamplesConsent 1 -PUAProtection Enabled -MAPSReporting Advanced
Schedule daily quick scans and weekly full scans with Task Scheduler or via PowerShell (MpCmdRun.exe). Example scheduled quick scan via Task Scheduler action: MpCmdRun.exe -Scan -ScanType 1. Collect and retain the event logs from Defender (Event Viewer → Applications and Services Logs → Microsoft → Windows → Windows Defender) or export logs from Defender's console to demonstrate detection/scan history.
Linux and macOS protections
On Linux use ClamAV with daily signature updates (freshclam) and a daily cron job to scan shared directories and incoming files. Add rkhunter and chkrootkit for basic rootkit scanning. Example cron entries:
0 2 * * * /usr/bin/freshclam30 2 * * * /usr/bin/clamscan -r --infected --log=/var/log/clamav/daily.log /srv/shared
On macOS ensure Gatekeeper and XProtect are enabled, enable automatic system updates, and consider an inexpensive third-party product that supports centralized reporting if you have multiple Macs. For all OSes, enable disk-level encryption (BitLocker, FileVault) to reduce risk from physical compromise of removable media.
Operational controls, documentation, and evidence for compliance
Technical controls alone are not enough for FAR/CMMC evidence. Maintain a concise set of artifacts: a Malicious Code Protection Policy (one page is fine for small shops) that lists tools and responsibilities; an asset inventory mapping devices to protection status; weekly or monthly scan logs; configuration screenshots (e.g., Defender dashboard showing real-time protection enabled); patch/update schedules; and training acknowledgements that users completed basic malware awareness. Keep incident response notes for any detection (date/time, scope, remediation steps, backups used). These are typical evidence items auditors and assessors expect.
Real-world examples and scenarios
Example 1 — 12-person subcontractor handling CUI: They enable Microsoft Defender for Business (included in Microsoft 365 Business Premium), configure Intune to enforce Defender settings and patching, create a weekly exported report of scan results, and maintain a one-page policy. When a USB stick delivers a malware alert, Defender quarantines the file, the admin documents the detection, isolates the machine from the network, and restores from a known-good backup — that chain of artifacts supports compliance.
Example 2 — small dev shop using Linux servers: Use ClamAV and fail2ban for basic protection, enable unattended upgrades for package security patches, and run weekly scans of /srv/uploads. When a detection occurs, they snapshot the VM for forensic analysis, remove the infected container, rebuild from hardened images, and record the steps in the incident log to show timely and controlled remediation.
Risk of not implementing or under-implementing this control
Without these protections small contractors face immediate operational and contractual risks: malware leading to data exfiltration or ransomware can expose Controlled Unclassified Information (CUI), trigger a reportable incident under FAR, lead to contract termination or suspension, damage future competitiveness, and create liability. Practically, a single infected workstation can spread laterally and cause prolonged outages that a small business may be unable to recover from quickly.
Compliance tips and best practices
Keep implementations simple, repeatable, and documented. Use built-in OS protections before buying third-party tools. Centralize configuration where possible to reduce admin overhead. Automate evidence collection: scheduled exports of AV logs, screenshots, and a single folder of policy and training artifacts for assessors. Practice an incident tabletop once a year and test backups quarterly. Finally, use least privilege for user accounts and block execution from %AppData%/Temp and removable media where feasible — these inexpensive measures greatly reduce malware success.
Summary: Small contractors can meet FAR 52.204-21 and CMMC 2.0 Level 1 malicious code protection expectations without large budgets by leveraging built-in OS protections, low-cost or bundled endpoint tools, simple centralized configuration (Group Policy/Intune), regular scanning and patching, documented policies and logs, and basic incident handling procedures — implement these steps now, collect the evidence, and you’ll substantively reduce malware risk while keeping compliance auditors satisfied.
