Meeting FAR 52.204-21 and CMMC 2.0 Level 1 control SI.L1-B.1.XV requires both periodic and real-time file scanning to detect and respond to malicious or unauthorized content; this guide walks a small business through planning, tool selection, configuration, deployment, and validation with practical examples and commands you can apply immediately.
Understanding the requirement and key objectives
Both FAR 52.204-21 and CMMC Level 1 aim to protect Federal Contract Information (FCI) and limit compromise of contractor environments; SI.L1-B.1.XV specifically expects capabilities to detect malicious code and risky files through periodic scans and real-time on-access scanning. Practically, that means you must (1) scan endpoint and server file systems on a schedule, (2) have real-time/on-access scanning for new/modified files, and (3) log and respond to detections. Your artifact evidence will be configuration screenshots, scan schedules, alerting rules, and incident response tickets showing remediation.
Step 1 — Planning and scoping (what to scan and why)
Start by inventorying assets that store or process FCI: employee laptops, file servers, NAS, cloud buckets (S3/Blob), and collaboration shares. For a small business (10–50 employees) typical scope includes: Windows endpoints, a Linux server hosting user shares, and an S3 bucket used for contract deliverables. Classify directories by sensitivity and set scanning priorities — e.g., "deliverables" and "engineering" folders get daily full scans; general user folders get weekly full scans and hourly quick scans. Document the scope in a simple spreadsheet (hostname/path/type/owner/scan-frequency) as compliance evidence.
Step 2 — Tool selection and architecture
Choose a mix of on-access (real-time) and scheduled scanners. If you have Microsoft licenses, Microsoft Defender for Endpoint provides both on-access and scheduled scans with centralized management and logging — low cost for small businesses using Microsoft 365 Business or E3. Open-source combos: ClamAV (periodic), Wazuh or OSSEC agents for file integrity monitoring (FIM) and alert forwarding, plus a lightweight EDR like CrowdSec or an affordable commercial EDR for real-time. For cloud objects, consider AWS Macie for S3 or implement Lambda + ClamAV for object-scanning during uploads. Architect where agents run (endpoints and servers), a manager (Wazuh manager / Elastic / Splunk), and an alert channel (email, Slack, or ticketing system).
Real-world small business example
AcmeGovTech (20 employees) uses Microsoft Defender on Windows endpoints, Wazuh agents on their Ubuntu file server, and an S3 bucket for contract files. Defender covers real-time on-access scanning on endpoints, Wazuh performs FIM on /srv/shares and forwards alerts to Elastic Stack, and a Lambda function runs ClamAV on S3 object create events to scan uploaded documents before marking them "deliverable". This hybrid model balances licensing costs and coverage.
Step 3 — Implement periodic scanning (concrete commands and schedules)
For Linux file servers use a scheduled cron job with ClamAV for periodic full or targeted scans. Example cron entries: daily quick scans at 2:00 AM and weekly full scans on Sunday at 3:00 AM: crontab: 0 2 * * * clamscan -r --bell -i /srv/shares --log=/var/log/clamav/daily_quick.log 0 3 * * 0 clamscan -r -i --max-filesize=50M /srv/shares --move=/srv/quarantine --log=/var/log/clamav/weekly_full.log On Windows, use Task Scheduler to run Defender quick scans: PowerShell example: Start-MpScan -ScanType Quick and schedule a weekly full scan with Start-MpScan -ScanType Full Make sure scheduled runs run with a service account that can write logs to a central location and include graceful exclusion rules (e.g., antivirus exclusion lists for database files) with documented justification.
Step 4 — Implement real-time/on-access scanning
Prefer a vendor EDR or AV that provides kernel-level on-access scanning on Windows (file system filter driver) and Linux (fanotify/inotify or EDR kernel module). For Linux without commercial EDR you can approximate real-time scanning with inotify and ClamAV: inotifywait -m -e close_write,moved_to --format '%w%f' /srv/shares | while read FILE; do clamscan --move=/srv/quarantine "$FILE" --log=/var/log/clamav/onaccess.log; done On Windows, enable Defender's real-time protection and cloud-delivered protection and confirm via Group Policy or Intune: Set-MpPreference -DisableRealtimeMonitoring $false Also enable tamper protection and ensure on-access scanning policies are not disabled by local users. For cloud uploads to S3, attach an S3 PutObject trigger to a Lambda that runs ClamAV or calls a scanning API; upon detection, move objects to a quarantine prefix and generate alerts.
Step 5 — Logging, alerting, integration, and validation
Send all scan logs and detections to a central log store or SIEM (Elastic, Splunk, or a managed log service). Normalize events to CEF or ECS for easy rule-writing. Example Wazuh rule to forward malware alerts to Elastic and a PagerDuty webhook. Retain logs according to contract requirements — a common small-business baseline is 90–180 days, but keep evidence longer if your contract requires it. Validate by weekly test files (EICAR) and monthly tabletop runs: drop an EICAR test file in each class of asset and confirm detection, quarantining, alerting, and ticket generation. Keep screenshots and incident tickets as artifacts for the assessor.
Risks of not implementing and compliance tips
Failure to implement periodic and real-time scanning increases risk of undetected malware, ransomware encryption, exfiltration of FCI, and supply-chain compromise; it also risks contract penalties, loss of federal work, and damaged reputation. Best practices: minimize exclusions, document every exclusion with business justification and compensating controls; enforce least privilege to limit spread after detection; train staff to avoid risky attachments; and maintain an exception process. For small teams, automation (auto-quarantine and auto-ticket creation) reduces human latency and provides traceable evidence for CMMC auditors.
In summary, meeting FAR 52.204-21 and CMMC 2.0 SI.L1-B.1.XV is achievable for small businesses with a pragmatic combination of periodic scheduled scanning, real-time on-access scanning, centralized logging, and documented validation. Inventory your assets, select appropriate tools (leveraging existing Microsoft or cloud capabilities where possible), implement clear schedules and quarantine workflows, integrate alerts into a ticketing/SIEM pipeline, and keep test artifacts and runbooks to demonstrate control effectiveness during assessments.
