Verifying that your information systems are protected from malicious code is a concrete, testable element of FAR 52.204-21 and maps to CMMC 2.0 Level 1 practice SI.L1-B.1.XIII; this post gives you a practical checklist, technical test steps, real-world small business examples, and evidence artifacts you can use to prove compliance during an assessment.
Checklist structure — what to include
Design your checklist so each line maps to a requirement, a control objective, and evidence type. Example checklist categories: inventory and coverage (are all endpoints and servers inventoried and protected?), protection configuration (is real-time scanning on, exclusions documented, definitions auto-updating?), detection and response integration (EDR telemetry to SIEM/console and alerting thresholds), remediation (quarantine and automated blocking), and testing/validation (EICAR and simulated phishing). For each item include: expected setting, verification method, acceptable evidence (console screenshot, agent version, update timestamp, SIEM alert), and remediation owner and due date.
Technical controls to verify (concrete items)
At a minimum verify: (1) anti-malware/EDR agents are installed and active on 100% of endpoints and servers (verify via MDM/patch management inventory or EDR console); (2) real-time protection is enabled and tamper protection is enforced; (3) signature/definition update frequency is configured (recommended: hourly or at least daily) and last-update timestamps are within policy; (4) scheduled full or deep scans are configured weekly; (5) cloud email and web gateways perform malware scanning; (6) removable media controls are in place (blocking or scanning USB); (7) application controls like AppLocker/Smart App Control or macOS Gatekeeper are used where available; (8) EDR/antivirus quarantine and automated blocking rules are configured (hash/blocklist); (9) telemetry forwarded to central logging/SIEM with retention for the assessment window (e.g., 90 days). Record agent versions, policy profiles, and configuration screenshots as evidence.
Procedures, evidence, and Compliance Framework specifics
Because this is a Compliance Framework environment, document the control in your System Security Plan (SSP) with the specific practice mapping to SI.L1-B.1.XIII and how the implementation meets FAR 52.204-21 safeguarding. Evidence types to collect: EDR/AV console export (list of protected hosts and agent versions), update logs showing definition timestamps, quarantine logs with sample hashes, SIEM alarms for detected malware, MDM inventory report, policy documents (anti-malware policy with update cadence), and test results (EICAR test logs). Maintain a POA&M entry for any gaps, with assigned owners and remediation timelines tied to contract requirements.
Testing and verification procedures (practical steps)
Run these repeatable tests quarterly or before an assessment: (A) EICAR detection test — send the standard EICAR file via email and download it to an endpoint; verify the gateway blocks, the endpoint AV quarantines, and SIEM records the event; (B) Simulated file drop — place a benign flagged file on a file share to confirm server-side scanning; (C) Endpoint tamper test — attempt disabling real-time protection on a test host (with logging) to verify tamper protection and audit logs; (D) False-positive recovery — restore a deliberately quarantined benign file to document the remediation workflow. Capture screenshots, timestamps, and console export files for each test. Automate scheduled scans and telemetry exports using your management tools (e.g., Intune, Jamf, SCCM, CrowdStrike console, SentinelOne) so evidence is reproducible.
Small business scenario — practical example
A 25-person contractor with a single office can implement an effective baseline: deploy Microsoft Defender for Business (or a lightweight EDR) via Intune to all Windows endpoints, enable tamper protection, configure daily definition updates, and integrate Defender for Endpoint alerts into a lightweight SIEM or cloud log store (Azure Sentinel or a managed logging service). Use Google Workspace or Microsoft 365 built-in email filtering with attachment scanning, enable DNS filtering for web threats (e.g., Cisco Umbrella), and enforce BitLocker/FileVault and secure backups. For evidence, export Intune device compliance reports, Defender security alerts for EICAR tests, and email gateway logs showing blocked messages; include these in the SSP.
Compliance tips and best practices
Keep these pragmatic tips in mind: (1) document baseline configurations and avoid overly broad AV exclusions—maintain an exclusions registry with business justification; (2) schedule automated evidence exports and snapshots in case an assessor requests recent logs; (3) keep EDR/AV agents up-to-date and centrally managed—manual exceptions should be rare and logged; (4) use benign test files (EICAR) and tabletop incident response to validate both detection and your remediation steps; (5) include supply chain and SaaS providers in your coverage map—if your email or file storage is vendor-hosted, obtain attestation or logs proving their malware protections; (6) map each checklist item to the specific clause (FAR 52.204-21) and CMMC practice in your SSP for quick assessor reference.
Risk of not implementing the requirement
Failing to verify protection from malicious code increases risk of ransomware, data exfiltration, credential theft, and lateral movement. For government contractors the consequences include lost contracts, suspension, or termination under FAR clauses, plus potential regulatory reporting obligations and reputational harm. Operational impacts for a small business include downtime, recovery costs, and potential loss of sensitive controlled unclassified information (CUI). Documenting controls and tests reduces contractual and business risk and demonstrates due diligence.
Summary: build a concise, evidence-driven checklist that maps each control to FAR 52.204-21 and CMMC SI.L1-B.1.XIII, include specific technical verification steps (EICAR tests, console exports, update timestamps), automate inventory and log collection where possible, and maintain an SSP and POA&M for gaps—these steps create a defensible posture and make assessments straightforward for small businesses and larger contractors alike.
