This guide explains how small businesses can implement both periodic (scheduled) and real-time file scanning to satisfy FAR 52.204-21 and CMMC 2.0 Level 1 Control SI.L1-B.1.XV, with step-by-step implementation advice, practical examples, and what evidence auditors will expect.
Why this control matters and what Compliance Framework expects
CMMC 2.0 Level 1 and FAR 52.204-21 require contractors handling Federal Contract Information (FCI) to implement basic safeguards such as detecting potentially malicious code or unauthorized modifications to files; the Compliance Framework maps this requirement to a combined approach of always-on (real-time) protection plus periodic full scans and logging that produce demonstrable evidence. Your objective is to ensure malware or unauthorized changes are detected quickly and that scan activity and results are retained as audit evidence.
Step 1 — Inventory and scope: what to scan and where
Start by scoping the systems that store or process FCI: desktops, laptops, file shares, application servers, and cloud storage. Create an inventory spreadsheet that lists OS, IP, purpose, owner, and whether the system is managed or BYOD. For small businesses, typical scope includes Windows 10/11 workstations, a few Linux servers, and cloud storage (e.g., SharePoint/OneDrive). Identify sensitive directories (e.g., \\fileserver\contracts, /srv/app/data) and mark them for priority scanning.
Step 2 — Choose the right tooling (practical options for small businesses)
Pick a combination of endpoint protection and file integrity monitoring (FIM) that supports real-time scanning and scheduled full scans. Practical small-business options: Microsoft Defender for Business (Windows endpoints), Sophos Intercept X, Malwarebytes Endpoint, or a managed EDR (CrowdStrike/Falcon, SentinelOne) if budget allows. For Linux servers use Wazuh/OSSEC for FIM and EDR, or ClamAV plus inotify/auditd for basic alerts. For cloud files, enable native scanning (Microsoft 365 Defender for SharePoint/OneDrive) or integrate a CASB for deeper inspection. Ensure chosen tools can centralize logs to a syslog/SIEM or cloud log collection for retention and reporting.
Step 3 — Configure real-time protection and periodic scans
Real-time: enable on-access scanning on every endpoint and server so files are checked when created/modified/executed. Configure automatic updates for signatures/AI models and enable cloud-assisted detection where available. Periodic: schedule a full system/file share scan at a low-usage period (daily or weekly depending on risk and performance); schedule quick scans more frequently (e.g., every 4–8 hours). For Linux, set up a daily cron job that runs a recursive scan (or leverages FIM to detect changed files and scan only those). Document the schedule in your security policy.
Practical configuration examples
Example small-business setup: enable Microsoft Defender real-time protection and cloud-delivered protection on all Windows endpoints, configure Defender to perform a Quick Scan every 4 hours and a Full Scan weekly, and forward Defender events to a central Azure Sentinel or SIEM. For Linux, install Wazuh agents configured to watch critical directories (e.g., /etc, /var/www, /srv/data) for integrity changes and to run clamscan on changed files, with alerts forwarded to the same SIEM. For file shares, configure scheduled server-side scans during nights and integrate scan results into your ticketing system for triage.
Step 4 — Logging, retention, and evidence for audits
Logging is the audit trail auditors will want to see. Centralize logs (scan start/finish times, detections, quarantines, signature updates) from endpoints and servers to a SIEM, log collector, or at minimum a secure file server. Retain logs for a period aligned with contract requirements — a practical default is 90 days for Level 1 evidence — but confirm contract-specific retention. Produce weekly/ monthly reports showing scan coverage, successful updates, detected items, and remediation tickets. Save configuration snapshots (agent versions, enabled protections) as additional evidence.
Step 5 — Triage, remediation, and false-positive handling
Define an incident-handling workflow for scan detections: triage (verify detection), contain (quarantine or isolate host), eradicate (remove malware), recover (restore clean files from trusted backups), and document. For small businesses, integrate detections into your helpdesk/ticketing system and assign SLAs (e.g., critical detections responded to within 4 hours). Maintain an exclusions policy for known-good executables/paths, but document approvals and rationale — auditors will expect documented justification for exclusions.
Risk of not implementing these controls
Failing to implement real-time and periodic scanning increases the risk of undetected malware, data exfiltration, and unauthorized file modification. For government contractors this can mean contract termination, loss of future contract opportunities, and potential legal or financial penalties. Operationally, undetected ransomware or credential-stealing malware can cause downtime, data loss, and reputational damage. From a compliance perspective, lack of logs and documented processes will fail an audit even if actual compromise did not occur.
Compliance tips and best practices
Maintain a written policy that describes scanning cadence, responsibilities, tools, and evidence retention. Automate where possible (agent deployment, signature updates, log forwarding). Perform quarterly tests: intentionally create test indicators (e.g., EICAR or harmless changed files) to verify detection and logging. Keep baselines of file integrity for key directories and track deviations. Ensure patching and least-privilege access are enforced so scanning is one element of a layered defense. Finally, keep documentation simple and exportable: inventory spreadsheets, scan logs, weekly reports, and remediation tickets are usually sufficient for Level 1 reviewers.
In summary, meeting FAR 52.204-21 and CMMC 2.0 SI.L1-B.1.XV requires a pragmatic combination of always-on endpoint protection, scheduled full scans, file integrity monitoring, centralized logging, and documented processes—actions that are achievable for small businesses using built-in platform tools plus lightweight agents and a simple SIEM or log collector. Implement the inventory, choose appropriate tooling, configure real-time and periodic scans, centralize logs, and document detection and remediation processes to produce clear audit evidence and materially reduce your risk.
