Meeting FAR 52.204-21 and CMMC 2.0 Level 1 Control SI.L1-B.1.XIII means you must select, deploy, and manage anti‑malware capabilities in a way that demonstrably reduces the risk of compromise; this post provides concrete selection criteria, deployment steps, configuration settings, and small‑business examples so you can implement the control and document your decisions for auditors.
Vendor selection: practical criteria tied to compliance goals
Start by translating the control into requirements you can score: real‑time protection, automated signature/definition updates, heuristic/behavioral detection, centralized management for visibility, and a vendor that can provide evidence (logs, configuration exports, support SLA) during an audit. Evaluate vendors against objective signals: independent lab/field test results (AV‑Comparatives, SE Labs), MITRE Engenuity ATT&CK Evaluations for detection coverage, documented telemetry/alert export (API or syslog), and endpoint coverage for your OS mix (Windows, macOS, Linux, mobile if needed). For small businesses with limited budgets, factor in Microsoft Defender for Business / Defender Antivirus (with Intune/Endpoint Manager) as a baseline option that can meet many Level 1 requirements when centrally managed and correctly configured.
Technical selection checklist (quick reference)
Use a short technical checklist during procurement: (1) cloud‑delivered protection + local heuristics, (2) tamper/protection controls to prevent users from disabling the agent, (3) automatic updates at least every 24 hours (ideally hourly or continuous cloud updates), (4) EDR capabilities or integration with EDR/SIEM for telemetry retention, (5) documented API/syslog for log export, (6) low false positive footprint and rollback/remediation options, and (7) vendor support commitments/SLA for incident escalation. Capture vendor responses in a scored spreadsheet and keep the procurement record as evidence.
Deployment and configuration: settings that auditors expect to see
Configure agents to enforce these baseline settings: enable real‑time protection and cloud‑delivered intelligence, enable tamper protection, set automatic signature/definition updates, enable behavior‑based detection and exploit mitigation, and set auto‑quarantine for high‑confidence detections. Recommended schedules: quick scans daily, full scans weekly (e.g., weekly full scan Sunday 02:00), and signature update policy set to automatic and checked every hour if possible. Minimize exclusions — only allow documented, reviewed, and signed exclusions (path/hash/process) and store those approvals in change control records. Where possible enable network protection / web filtering features to block known malicious URLs and use DNS filtering as a complementary control.
Practical config values and actions
Example settings for Windows endpoints: enable Microsoft Defender real‑time protection, cloud‑delivered protection, and tamper protection; set automatic sample submission and cloud lookups; configure scheduled tasks for quick/full scans; set quarantine to auto and retention 30–90 days for logs. For third‑party agents, ensure the central console enforces policies (policy push) and that agents run as system services with tamper guard enabled. Run a controlled EICAR test to prove detection in your environment and keep test evidence (screenshots, logs) for auditors.
Rollout: pilot, scale, and automation
Deploy in three phases: pilot (5–10 representative endpoints), staged rollout (department by department), and full enforcement. Use automation tools you already have: Microsoft Intune/Endpoint Configuration Manager (SCCM) or Jamf for macOS, and scripted MSI/DEB/RPM installs for environments without MDM. During pilot, measure CPU/memory impact, false positives, and compatibility with line‑of‑business apps; maintain an exceptions log for any exclusions. Automate agent install and policy application via your MDM or management scripts, and ensure uninstall prevention is enabled to maintain compliance posture.
Logging, monitoring, and documentation for audits
CMMC and FAR audits want evidence: maintain an inventory of installed anti‑malware versions, a change log of policy updates, signed vendor contracts or licensing, evidence of update cadence (update logs), detection logs showing quarantines and remediation, and results of at least one detection test (EICAR). Forward agent telemetry to a central collector or SIEM (Splunk, Elastic, Azure Sentinel) via API, syslog or vendor connectors. Retain logs for a minimum period defined by contract — practical baseline is 90 days for Level 1 evidence — and ensure logs are tamper‑protected (WORM storage or restricted access) and included in your incident response playbook.
Small‑business scenarios and real‑world examples
Scenario A: 40‑person subcontractor with Windows desktops and a small server — choose Microsoft Defender for Business + Intune: pilot 5 users, enable tamper protection and cloud protection, schedule weekly full scans, and configure automatic updates; document the deployment in a single PDF with screenshots and export of device inventory for the audit. Scenario B: 12‑person engineering firm using macOS and Linux servers — deploy Jamf‑managed Sophos or CrowdStrike for macOS, ClamAV or vendor Linux agent on servers, centrally collect logs to a simple Elastic stack, and keep an exclusions register for build tools. In both cases use the EICAR test for verification and keep the test artifacts in the compliance folder.
Risks of not implementing this control and compliance tips
Without an approved, configured anti‑malware solution you increase risk of ransomware, data exfiltration, and supply‑chain compromise — outcomes that can lead to contract termination, loss of future government work, and regulatory penalties. Practical compliance tips: (1) document the vendor selection rationale and criterion and store it with procurement records; (2) keep a running inventory of endpoints and agent versions; (3) include anti‑malware config checks in regular vulnerability scans and weekly compliance reviews; (4) test incident playbooks and remediation procedures quarterly; and (5) include a clause in vendor contracts to preserve telemetry and support evidence requests during audits.
Summary: to satisfy FAR 52.204‑21 and CMMC 2.0 Level 1 SI.L1‑B.1.XIII you need a defensible, documented process for selecting an anti‑malware vendor, deploying agents centrally, configuring baseline protections (real‑time, cloud updates, tamper protection, scheduled scans), forwarding logs for retention, and retaining procurement and test evidence — follow the practical checklists and rollout steps above, run pilot tests (EICAR), and keep clear documentation so audits are straightforward and your environment stays protected.
