Small contractors and SMBs that must comply with FAR 52.204-21 and CMMC 2.0 Level 1 (SI.L1-B.1.XIII) need pragmatic, repeatable controls to stop malicious code from reaching cloud workloads β this post gives concrete configurations, tool choices, and test procedures you can implement today to demonstrate compliance and reduce real-world risk.
What the control requires in practice
At Level 1 the objective is "basic cyber hygiene": prevent, detect, and respond to malicious code on systems that store, process, or transmit Covered Defense Information (CDI). For cloud workloads that means applying malware-defensive controls at build-time (image hardening), in transit (pipeline scanning and signing), and at runtime (EDR/IDS, host/container runtime policies), plus logging and documentation to prove you performed those steps for Compliance Framework assessments.
Practical configurations for cloud workloads
Start with secure image practices and runtime hardening. Build minimal images (Distroless or Alpine-minimal), remove package managers, and set immutable tags. In Kubernetes set at least these Pod-level settings: securityContext.runAsNonRoot: true, securityContext.readOnlyRootFilesystem: true, securityContext.allowPrivilegeEscalation: false. Apply a restrictive seccomp profile and enforce AppArmor/SELinux where available. For VMs, disable unused services, close unnecessary ports, and enable automatic OS-level patching (use AWS Systems Manager Patch Manager, Azure Update Management, or Googleβs OS Patch Management).
Image signing, scanning, and SBOMs
Integrate image scanning and signing into CI: generate an SBOM with syft or cyclonedx, scan images with trivy or anchore, and sign images with cosign. Example CI step: trivy image --exit-code 1 --severity CRITICAL,HIGH myrepo/myimage:CI-${GITHUB_RUN_ID} to fail builds on high/critical findings. Store SBOMs and scan output as evidence for audits and provide immutable, signed images in a private registry (ECR/GCR/ACR) with image policy enforcement.
Runtime protections and network controls
Deploy runtime detection such as Falco (open-source) or a managed EDR like CrowdStrike/SentinelOne/Microsoft Defender for Endpoint. Enable host-based intrusion detection, container runtime rules to detect execs, unusual network connections, or shell activity in containers. Restrict egress with cloud egress rules and DNS filtering; block direct internet access from compute instances unless necessary. Apply least-privilege IAM roles to workloads (use Workload Identity on GCP, IAM Roles for Service Accounts on AWS) to limit impact if a workload is compromised.
Tools (managed & open-source) and deployment notes
Cost-effective toolset for small businesses: Trivy for image scanning, Syft for SBOMs, Cosign for signing, Falco for runtime alerts, Wazuh or OSSEC for host-based monitoring, and an affordable EDR (or Defender for Business). Cloud-native managed options: AWS Inspector + ECR image scanning + GuardDuty + Defender for Containers (Azure) or Binary Authorization on GKE. For each tool, deploy agents via automation (Terraform/CloudFormation/ARM) and include agent install and configuration in your build scripts to ensure consistent baseline across environments.
Tests and validation you should run regularly
Validate detection and response with safe, repeatable tests: place an EICAR test file in a workload (e.g., create a file containing the EICAR test string) to confirm your malware scanners detect and alert; run image scans in CI and purposely introduce a known-vulnerable package to confirm failures; simulate runtime anomalies with benign commands (e.g., unexpected bash exec in a container) and verify Falco/EDR alerts and your incident playbook. Maintain a runbook and record timestamps/screenshots/logs as compliance evidence.
Compliance tips, evidence collection, and common pitfalls
Document each step: CI scan configuration, SBOM outputs, image signing artifacts, runtime alert logs, and remediation tickets. Keep logs centralized in a cloud SIEM (CloudWatch Logs, Azure Monitor, GCP Logging) and retain at least the period your assessors expect; for small businesses 90β180 days is typical. Avoid relying solely on default cloud settings; explicitly enable image verification, automation of patching, and proof of non-root containers. Common pitfalls: unsigned images in production, missing SBOMs, no runtime detection, and lack of documented test results.
Risk of not implementing these controls
Without these controls attackers can introduce backdoors, cryptominers, or data exfiltration tools into your workloads. For contractors that can mean loss of contracts, damage to reputation, regulatory penalties, and the practical cost of incident response. From a compliance perspective, lacking demonstrable build-time scanning, image signing, runtime detection, and evidence of testing will fail an assessor for FAR 52.204-21 / CMMC Level 1 requirements.
Summary: implement a layered approach β hardened images, CI-integrated scanning and SBOMs, image signing, runtime detection/EDR, network egress control, and documented, repeatable tests β and capture logs and artifacts as audit evidence. For a small business, prioritize cloud-managed services where possible, supplement with open-source scanning and runtime tools, automate everything in CI/CD, and run regular, documented tests (EICAR, CI failure injection, runtime anomaly simulation) to both reduce risk and demonstrate compliance under the Compliance Framework.
