This guide explains how to implement both periodic (scheduled) and real-time file scanning in practical, technical detail to meet FAR 52.204-21 and CMMC 2.0 Level 1 control SI.L1-B.1.XV requirements for safeguarding covered contractor information systems.
What the Requirement Means and Key Objectives
At a high level, FAR 52.204-21 and CMMC Level 1 SI.L1-B.1.XV require that contractor information systems implement measures to detect and prevent malicious content in files—both proactively (real-time/on-access) and routinely (scheduled scans). The objectives are to (1) detect malware and unauthorized code in files, (2) limit the spread of malware by quarantining or blocking infected files, and (3) produce auditable evidence that scanning is in place and functioning.
Step-by-Step Implementation
1) Preparation: Inventory, Scope, and Risk Prioritization
Start with a scoping exercise specific to your "Compliance Framework" obligations: list endpoints (laptops, desktops, servers), file servers (NAS, SMB shares), cloud storage (SharePoint, OneDrive, S3, Box), and backup repositories. Classify data flows and identify where covered contractor information (FCI/CUI) resides. For a small business (e.g., 25 users) this might be: 25 endpoints, one Windows file server, Office 365 tenant with SharePoint, and a cloud backup account. Prioritize scanning on endpoints that access sensitive files and on centralized file stores.
2) Select Tools and Architecture (Real-Time + Periodic)
Choose a toolset that supports: on-access (real-time) scanning on endpoints and servers, scheduled full and quick scans, centralized policy management, logging, and quarantine. Examples: Microsoft Defender for Endpoint + Defender Antivirus for Windows environments; a managed EDR solution (CrowdStrike, SentinelOne) that includes file scanning/behavioral detection; for mixed or Linux environments, combine vendor AV agents (ClamAV for Linux in cloud buckets) with EDR agents. For cloud object stores, add cloud-native tools (AWS Macie for classification, Amazon Inspector/ClamAV-based Lambda scans for S3) or third-party connectors. Ensure the chosen tools support signature updates, heuristics, YARA rules, and SHA-256 hash checking for IOCs.
3) Configure Real-Time (On-Access) Scanning
Enable on-access scanning on all endpoints and file servers so that files are scanned at creation/open/write. Configure quarantine actions: block execution of detected malicious binaries, quarantine infected documents, and prevent file upload to cloud sync if infected. Set signature update cadence to at least daily (ideally hourly for cloud-managed solutions). For resource-constrained endpoints, use CPU and IO throttling and exclude known safe paths (build artifacts, package caches) but document and justify every exclusion. For SMB/NFS shares, deploy scanning on the server or use a gateway scanner that intercepts file operations.
4) Configure Periodic (Scheduled) Scanning
Schedule periodic full and incremental scans: quick scans daily, full scans weekly (or nightly for high-risk servers). Example schedule for a small business: daily quick scan on endpoints at 03:00, weekly full server scan on Sunday 02:00, daily scan of cloud file shares via connector at 04:00. For backups, scan the backup image on receipt and before restore operations. Configure scans to inspect compressed archives (zip, rar, tar.gz) and common file types (exe, dll, js, docm, xlsm, pdf with embedded scripts). Enable deep archive scanning and set file size limits that balance coverage and performance (e.g., scan files up to 500MB and quarantine larger files for manual review).
5) Logging, Centralized Monitoring, and Evidence Collection
Forward scan events and alerts to a central log store or SIEM (Splunk, Elastic, Azure Sentinel). Log details should include timestamp, host, user, file path, hash (SHA-256), detection name, action taken, and rule/signature version. For compliance evidence, maintain a searchable archive of scan logs and quarantine actions—retain these per contract requirements (commonly 6–12 months for audits, but follow contract-specific directions). Use a dashboard for real-time visibility and create scheduled compliance reports that show policy coverage, scan results, and signature/update status.
6) Tuning, False Positive Management, and Incident Response Integration
Tune signatures and behavioral rules to reduce false positives: whitelist known-good software hashes, create YARA rules for legitimate internal tools, and document exceptions using change control. Develop a simple playbook: when a real-time alert triggers, isolate host if ransomware indicators present, collect the file hash and path, check quarantine, and escalate to incident response. For periodic scan detections, route to the same workflow but tag as "discovered by periodic scan" for SLA measurement. Automate remediation where safe (quarantine + rollback) and require manual review for high-risk items.
Real-World Small Business Example
Example: Acme Engineering (25 users) uses Office 365, a single Windows file server, and AWS S3 for backups. Implementation: deploy Microsoft Defender on all endpoints, enable on-access scanning and cloud-delivered protection, schedule quick scans daily and full server scans weekly, add a Lambda function to run ClamAV on newly uploaded S3 objects, forward alerts to Microsoft Sentinel, and retain logs for 12 months. When a macro-based malware sample was detected on a user laptop, Defender quarantined the document and an automated workflow disabled the user's network access pending investigation—preventing lateral movement to the file server.
Risks and Consequences of Not Implementing
Failure to implement periodic and real-time scanning increases the risk of undetected malware persistence, data exfiltration, and lateral movement. For contractors, this can mean loss of contracts, suspension, reputational damage, and potential penalties under FAR clauses. Operational impacts include ransomware encryption of backups, extended downtime, and costly incident response. From a compliance perspective, lack of documented scans and logs means failing to demonstrate controls during audits or assessments.
Compliance Tips and Best Practices
Document each decision: tool selection, scan schedules, exclusions, and proof of deployment (agent inventory, policy snapshots, signature update history). Run periodic test cases (ingest EICAR test files, controlled malware samples in a lab) to validate real-time and scheduled detection. Automate update management for signatures and agents and include scanning coverage in your System Security Plan or Evidence Package. For small businesses, consider managed detection services or MDR for 24/7 coverage if in-house SOC resources are limited.
In summary, meeting FAR 52.204-21 and CMMC 2.0 Level 1 (SI.L1-B.1.XV) for file scanning requires a combination of properly scoped inventory, the right mix of real-time and scheduled scanning, centralized logging and evidence retention, tuning and playbooks for response, and clear documentation—actions that are practical for small businesses to implement with off-the-shelf AV/EDR tools, cloud connectors, and a few operational processes.
