Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - SI.L2-3.14.5 – Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
Understanding the Requirement
This control requires that your organization perform both scheduled (periodic) scans of systems and continuous (real-time) scanning of files that come from external sources so malware cannot install or run undetected. The goal is to define how often full and incremental scans run, ensure those scans actually occur on the defined schedule, and enable on-access scans that inspect files when they are downloaded, opened, or executed. Following the NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 guidance ensures these activities are documented, enforced, and monitored.
Technical Implementation
- Deploy enterprise anti-malware across endpoints and servers. Use a centrally managed solution (not standalone consumer AV) that supports on-access (real-time) scanning, scheduled full scans, automatic signature and engine updates, and centralized policy enforcement. Ensure coverage for Windows, macOS, Linux, and key servers.
- Enable real-time scanning for external content. Configure the product to scan files on download, when opened, and at execution time. Include browser downloads, email attachments, file shares, and removable media. For cloud-synced folders, enable local scanning of files as they arrive.
- Define and implement scanning frequency in policy. Document a scanning frequency policy: for example, full system scan weekly (e.g., Friday 17:00), daily quick scans, and continuous on-access scanning. Record who approves exceptions and where the policy lives (policy repository or intranet).
- Centralize management, logging, and alerting. Use the management console to push policies, collect scan/compliance reports, and forward suspicious detections to your SIEM or log collector. Configure alerts for malware detections and failed scans so IT staff can respond promptly.
- Maintain signature/engine updates and leverage cloud/behavioral detection. Configure automatic signature and engine updates at least daily (prefer immediate updates). Enable cloud-based threat intelligence and behavioral/heuristic detection to reduce reliance on signatures alone.
- Handle exclusions, exceptions, and removable media safely. Create a documented process for approved exclusions (with business justification), keep the list minimal, and periodically review it. Ensure removable media gets scanned on insertion and use device control policies to restrict unknown media.
Example in a Small or Medium Business
A small engineering firm purchases an enterprise anti-malware suite with a cloud-managed console and installs agents on all 40 employee laptops and two file servers. The IT lead creates a malware scanning policy that specifies on-access scanning for downloads, email attachments, and USB devices, and schedules a full system scan weekly on Friday at 5:00 PM when activity is low. Agents are configured to update signatures automatically and to use cloud behavioral analysis to catch unknown threats. The management console is set to send alerts to the sysadmin and to log events to the firm's log server for retention and review. The firm documents an exclusions process requiring manager approval and quarterly review to avoid risky exceptions. When the console reports a detection on a workstation, the sysadmin isolates the device, performs a forensic scan, removes the malware, and restores the system from a validated backup while recording the incident. This workflow assures business leaders that periodic and real-time scanning are working and that detections are handled consistently.
Summary
Combining a clear policy that defines scan frequency and exception handling with a centrally managed anti-malware solution that enforces real-time scanning of external files, schedules periodic full scans, updates threat data automatically, and produces actionable logs will meet this requirement. For SMBs, practical steps are: pick an enterprise-grade product, enable on-access scanning for downloads/open/execute events, schedule regular full scans, ensure automatic updates, and monitor detections through centralized alerts and reporting—then make system/network administrators responsible for enforcement and review.
