This guide walks you through implementing periodic and real-time file scanning to satisfy FAR 52.204-21 and CMMC 2.0 Level 1 control SI.L1-B.1.XV, with practical configuration steps, small-business examples, and audit-ready evidence you can use today. It focuses on actionable implementation within a Compliance Framework context: scoping, tooling, configuration, logging, testing, and documentation.
Why this control matters and the risk of non‑implementation
Periodic and real-time file scanning reduce the risk of malware, ransomware, and malicious scripts entering or spreading across your environment; failure to implement them can lead to data loss, service disruption, supplier or customer impact, and noncompliance findings that jeopardize government contracts. For small businesses that handle contractor or government information, an infection on one endpoint can rapidly propagate to shared file servers or cloud storage, causing loss of confidentiality and availability and triggering contractual penalties.
Step-by-step implementation (high level)
Implementing SI.L1-B.1.XV in a Compliance Framework context breaks down into: 1) scope and policy, 2) select tooling, 3) deploy real-time (on‑access) scanning, 4) schedule periodic full scans and signature updates, 5) logging and monitoring, 6) test/validate and document for auditors. The following sections give concrete examples and commands for Windows, Linux, mixed environments and cloud storage.
Step 1 — Define scope, policy, and inventory
Start by identifying in-scope assets: endpoints (laptops/desktops), file servers (Windows Server, NAS), and cloud storage (S3 buckets, SharePoint). Create a short policy that states scanning requirements (on-access enabled for endpoints, daily full scans for file servers, immediate scanning of uploads to cloud buckets) and retention and reporting expectations (e.g., weekly summary, 90 days of logs). For a 10–30 person small business, scope usually includes all employee endpoints and any central file share or cloud locations used for business files.
Step 2 — Deploy and configure real‑time (on‑access) scanning
Choose an on‑access product appropriate for your environment: Microsoft Defender for Business/Windows Defender for Windows desktops, and a lightweight EDR (CrowdStrike, SentinelOne) or AV (Sophos, Bitdefender) for laptops and servers. On Linux servers, use real‑time daemons where available (e.g., ClamAV with clamd + fanotify/inotify adapter or commercial agents). Key settings: enable on-access scanning, set quarantine behavior to isolate files and endpoints, restrict automatic deletions to prevent disruption, and configure exclusions only for well‑documented service folders (e.g., backup directories). For Windows example commands: ensure Defender real-time protection is enabled via Group Policy or Intune and confirm scheduled scans via MpCmdRun.exe -ScheduleScan. For Linux example: install clamd, configure freshclam for updates, and run a lightweight file system watcher (inotifywait or fswatch) to trigger clamscan --infected --recursive on new uploads.
Step 3 — Configure periodic full scans and signature/engine updates
Configure scheduled full scans for file servers and periodic scans for endpoints during off-hours. On Windows Server, use Task Scheduler or GPO to run MpCmdRun.exe -Scan -ScanType 2 weekly; on Linux, add a cron job: 0 2 * * * /usr/bin/clamscan -r --log=/var/log/clamscan/daily-scans.log /srv/share. Ensure signature and engine updates are automated (Windows Update/Defender updates, freshclam for ClamAV, or vendor-managed cloud updates). For cloud object stores (S3), implement an upload lambda that scans new objects with ClamAV or use a managed service (e.g., AWS Malware Protection for Amazon S3). Example: trigger Lambda on PutObject, have Lambda download the object, scan with ClamAV, tag or quarantine the object, and write a result to an audit S3 bucket or send to SNS for alerting.
Logging, alerting, SIEM integration, and incident handling
Collect scan results and alerts centrally. For Windows, forward Event Logs via Windows Event Forwarding or use the vendor cloud console; for Linux, forward clamscan logs and syslog to your SIEM or a central syslog server. Build alerts for positive detections (email/SMS/Slack) and create playbook entries in your incident response plan that describe containment steps (isolate host, preserve evidence, perform full re-scan). Retain logs and scan reports as evidence for audits—store scan summaries weekly and raw logs for the period your Compliance Framework requires (commonly 90 days to 1 year depending on organization policy).
Testing, validation, and auditor evidence
Test your configuration monthly: run controlled test files (EICAR test string) and verify detections in logs and notifications; simulate an upload to cloud storage and confirm the S3-Lambda workflow quarantines or flags the object. For audit evidence prepare: a scope document, configuration screenshots (on-access enabled, scheduled scans), sample scan logs, update schedules, and an incident playbook with a recent tabletop exercise report. For small businesses, keep artifacts organized in a single compliance folder and versioned—this saves time during FAR or CMMC assessments.
Best practices and small-business scenarios
Best practices include: 1) prioritize endpoints that access both internal and external networks (remote workers), 2) avoid broad exclusions—document any necessary ones, 3) throttle scans during business hours to reduce performance impact, 4) use hash-based allowlists for known good files and maintain the list via change control, and 5) integrate endpoint quarantine actions with your backup/restore strategy to avoid accidental data loss. Example: a small marketing firm with a NAS should run on-access agents on any device that mounts the NAS and schedule nightly server-side full scans; a contractor uploading deliverables to an S3 bucket should trigger a Lambda scan and quarantine while keeping the uploader informed via SNS.
Implementing periodic and real-time file scanning to meet FAR 52.204-21 and CMMC 2.0 Level 1 is practical for small businesses when approached methodically: scope your assets, choose appropriate tools, enable on-access scanning, schedule regular full scans and updates, centralize logs, test regularly, and keep clear documentation for auditors. These steps reduce operational risk and provide demonstrable evidence of compliance within your Compliance Framework.
