This guide shows how a small business can implement both periodic and real-time file scanning to meet FAR 52.204-21 and CMMC 2.0 Level 1 control SI.L1-B.1.XV, including concrete tool choices, schedules, logging requirements, and examples you can apply this week to reduce risk and produce audit evidence.
Why this control matters (risk and compliance mapping)
FAR 52.204-21 requires basic safeguarding of contractor information systems; CMMC Level 1 SI.L1-B.1.XV specifically expects mechanisms for periodic and real-time scanning to discover malicious code or unauthorized files. Without scanning, malicious files can persist in share drives, endpoints, or cloud buckets and lead to data exfiltration, ransomware, or supply-chain compromise—risks that are especially impactful for small businesses with limited staff and little margin for downtime. From an audit perspective, you must be able to show that real-time protection is enabled where appropriate and that periodic scans run on a documented cadence with retained logs and remediation records.
Step-by-step implementation (practical actions)
1) Scope and asset inventory
Start by documenting the scope that contains Controlled Unclassified Information (CUI) or other regulated data: endpoint endpoints (Windows/Mac/Linux), file servers (SMB/NFS), cloud storage (S3, Azure Blob, Google Cloud Storage), and developer build servers. For each asset, capture OS, owner, network location, and access patterns. For example, a 25-person subcontractor might list: 20 Windows laptops, 2 Linux servers (internal dev and file share), 1 Windows file server, and an S3 bucket for project artifacts. This inventory drives where to enable real-time hooks and where to schedule periodic scans.
2) Choose the right tools and architecture
Map each asset to an appropriate scanning capability: use built-in real-time AV for endpoints (Microsoft Defender on Windows, built-in AV on Macs, vendor solutions on Linux), an on-access scanner for file servers (commercial AV with SMB hooks or Linux fanotify-based scanners), and periodic scanners for archive locations. Small-business-friendly stacks: Microsoft Defender for Business (endpoints), ClamAV + clamav-daemon for non-critical Linux file servers, and a cloud-native scanner (e.g., AWS Lambda triggered by S3 events running YARA/ClamAV) for object stores. Consider a single-pane SIEM/monitor (Splunk/Elastic/Datadog) or a lightweight log-forwarder (NXLog/Winlogbeat) to centralize detection telemetry for evidence and alerting.
3) Implement periodic scanning (scheduling, scope, performance)
Define and document your periodic scan cadence: full-system weekly scans plus daily targeted scans of CUI folders is a common baseline for Level 1. On Linux, a systemd timer or cron job can run clamscan -r /data --log=/var/log/clamscan-YYYYMMDD.log and rotate logs; on Windows, schedule weekly full scans with Defender via Start-MpScan -ScanType FullScan and configure Windows Task Scheduler or Intune policy. For file servers, schedule off-peak incremental scans (nightly) and one weekly full scan. Record schedule artifacts (task definitions, systemd timer files, or Intune profiles) as evidence for auditors.
4) Implement real-time/on-access scanning (mechanisms and tuning)
Real-time scanning catches malicious files at creation or copy time. On Windows endpoints, enable real-time protection via group policy/Intune or PowerShell (Set-MpPreference -DisableRealtimeMonitoring $false) and ensure automatic signature updates are enabled. For Linux, use clamav-daemon with fanotify or a commercial on-access scanner that integrates with SMB shares; for example, deploy clamd and a filesystem watcher that scans newly created files using inotify events. For cloud object stores, implement event-driven scanning: S3 CreateObject triggers a Lambda that runs a YARA rule set and virus scanner, then tags or quarantines infected objects and emits an alert to your SIEM. Tune exclusions thoughtfully (e.g., compiled build artifacts, swap/tmp directories) and document each exclusion with the justification and periodic review schedule to avoid being non-compliant due to over-exclusion.
5) Logging, alerting, remediation, and audit evidence
Centralize detection logs and alerts: forward Windows Event Logs (Event IDs for Defender detections), clamd logs, and Lambda scan outputs to your SIEM or a cloud logging service. Create simple alerting rules (e.g., any detection on a CUI bucket -> high-priority ticket) and integrate with your ticketing system so each detection has an incident record showing triage and remediation steps. Retain raw scan logs and ticket entries for the retention period required by your contract (commonly 1 year for Level 1 evidence). Maintain a policy document and a weekly/monthly report showing scan run status, signature update status, and any remediation performed—these artifacts form the audit trail auditors will request under FAR 52.204-21/CMMC.
Practical small-business scenarios and best practices
Two quick examples: (1) Small engineering shop: enable Microsoft Defender on all endpoints via Intune, schedule Defender weekly full scans, enable Defender for Server on the Windows file server, and add a Lambda-based S3 scanner for build artifacts. (2) Small MSP with Linux NAS: run clamav-daemon on the NAS, configure an inotify service to scan new files immediately, and schedule a weekly full clamscan off-peak. Best practices: automate signature and engine updates, minimize exclusions and document them, ensure real-time protection is not turned off by routine user behavior, and perform quarterly test restores and simulated detections (red-team/file-based tests) to verify detection and incident workflows.
Summary
Meeting SI.L1-B.1.XV and FAR 52.204-21 is practical for small businesses: inventory assets, select appropriate on-access and periodic scanning technologies, schedule scans and updates, centralize logs and alerts, and retain remediation evidence. Prioritize enabling real-time protection where files are created/accessed and run regular full and targeted scans for CUI repositories; document every step so you can demonstrate compliance during an audit. Implementing these steps reduces the risk of malware persistence and provides the documented evidence required for contractor compliance.
