How to Meet FAR 52.204-21 / CMMC 2.0 Level 1 - Control - SI.L1-B.1.XIII

Requirement

FAR 52.204-21 / CMMC 2.0 Level 1 - Control - SI.L1-B.1.XIII – Provide protection from malicious code at appropriate locations within organizational information systems.

Understanding the Requirement

This control requires that your organization identify where malware protection is needed and deploy appropriate tools so systems are protected from viruses, spyware, and other malicious code. In practice that means designating locations such as workstations, servers, and any network choke points (e.g., firewall/UTM appliances) and ensuring those locations have active anti-malware controls in place. To meet FAR 52.204-21 / CMMC 2.0 Level 1 you should combine endpoint anti-malware on hosts, malware inspection on perimeter devices where available, and processes to keep detection capabilities current and monitored.

Technical Implementation

• Inventory and designate locations. Create a short inventory of all endpoints (workstations, laptops, servers, and mobile devices) and network devices that can or should provide malware inspection (firewalls/UTMs, mail gateways). Mark which systems require agent-based protection and which will be covered by network-level scanning.
• Deploy managed anti-malware agents. Install a centrally managed anti-malware product on all workstations and servers. Use a management console so you can push installs, enforce real-time protection, configure scheduled scans, and monitor health/status without logging in to each device manually.
• Configure network and gateway scanning. Enable malware inspection on email gateways and perimeter devices if available (e.g., ATP on firewall, anti-spam with attachment scanning). Configure these devices to block known-malicious payloads and quarantine suspicious items for review.
• Keep definitions and engines current. Enforce automatic updates for signatures and engines and set a policy for how quickly critical updates must be applied (ideally automatic and continuous). Verify update success via your management console and alert on failed updates.
• Logging, alerts, and response playbook. Configure logging to send malware detection events to a centralized log or SIEM. Create simple response steps for detections (isolate host, run full scan, remediate, preserve evidence) and assign roles so administrators know who responds and how to escalate.
• Least privilege and removable media controls. Reduce the attack surface by limiting administrative privileges and restricting execution from removable media where practical. Combine these controls with anti-malware to reduce the risk of code running undetected.

Example in a Small or Medium Business

Acme Design Co. has 35 employees and two on-premise servers supporting file shares and a small web application. The IT lead inventories all 30 workstations, 3 servers, and their cloud-hosted backups, and decides to deploy a single managed anti-malware solution across all endpoints. She configures the management console to enforce real-time protection, schedule nightly full scans, and require automatic signature updates. Their perimeter firewall has a malware inspection module, so she enables attachment scanning and configures suspicious files to be quarantined rather than delivered. The team configures alerts to email the IT lead for high-confidence detections and sends all detection logs to a lightweight log server for weekly review. They also remove local admin rights from standard users and disable autorun on removable media to reduce exposure. When a laptop later detects ransomware behavior, the console isolates the device automatically, the IT lead follows the incident steps to contain and restore from a clean backup, and the team documents lessons learned to adjust scan schedules and email quarantine rules.

Summary

By identifying where malware protection is needed, deploying centrally managed anti-malware agents on endpoints, enabling inspection on perimeter devices, and maintaining update, logging, and response processes, SMBs can meet the control's intent. These combined policy and technical measures create layered defenses that detect, block, and enable rapid response to malicious code, reducing the likelihood of an infection spreading and helping you demonstrate compliance with the requirement.