This post explains how to test, validate, and document periodic scans and on-access file scanning to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control SI.L2-3.14.5 for small-to-midsize organizations, with a practical evidence checklist, test steps, and real-world examples that you can use during an assessment or internal audit.
\n\nSI.L2-3.14.5 requires organizations to ensure systems are scanned for malicious code using both periodic (scheduled) and on-access (real-time) scanning. For Compliance Framework implementation this means: document the scanning policy and scope (endpoints, servers, removable media, cloud storage), configure tools for signature and heuristic detection, enable on-access scanning by default, schedule full and targeted scans, and retain artifacts that prove scans ran and detections were handled.
\n\nTesting should include automated evidence gathering and manual validation. Automated evidence: console screenshots of management platforms (EDR/AV), export of scan logs, signature/version update history, scheduled task definitions, and SIEM/Log aggregator entries with relevant timestamps. Manual validation: deploy a known-good test file (EICAR) and verify it is detected, quarantined, or blocked; copy/move test files to network shares and removable media to confirm on-access scanning triggers; and review detection-to-remediation tickets to confirm workflow.
\n\nSample step sequence auditors like to see: 1) Review AV/EDR policy doc that defines scanning cadence and scope. 2) On a Windows workstation, run: Get-MpComputerStatus (PowerShell) to capture engine version & last update; run MpCmdRun.exe -SignatureUpdate if needed and show timestamps. 3) Drop an EICAR test string into Downloads and document Defender or EDR alert, show quarantine folder or console event, and capture the SIEM alert. 4) On a Linux file server with ClamAV: show clamscan/clamdscan scheduled cron job, run clamscan --infected --recursive /path and capture /var/log/clamav/clamav.log output. 5) For cloud file stores (Box/OneDrive/SharePoint) show CAS or cloud scanning configuration and an example detection event.
\n\nCollect and organize evidence using these items (store with timestamps and contextual notes):
\nScenario A: A 50-user engineering firm uses Microsoft Defender for Endpoint and SharePoint for CUI; evidence collection should focus on Defender console exports, SharePoint DLP and CAS scanning settings, and tenant audit logs. Scenario B: A small manufacturer uses mixed Windows and Linux servers; centralize logs using a lightweight SIEM (Splunk/ELK/Graylog) and create scheduled ClamAV scans on NFS shares. For small businesses, leverage built-in tooling (Windows Defender, OS-level cron jobs, free EDR trials) to meet coverage without heavy investment.
\n\nBest practices include: automate evidence exports weekly, tag evidence with system identifiers and hash values, and keep a run-book of auditor test accounts and reproducible test steps. Avoid common pitfalls such as: documenting scanning without evidence of it actually running, whitelisting broadly without approvals, or failing to show detection-to-remediation workflows. Keep signature updates frequent (daily or more), and retain logs for the period your organization’s policy requires — a common baseline is 1 year for critical detection logs.
\n\nWithout this control properly implemented, organizations risk persistent malware on endpoints and servers, undetected lateral movement, data exfiltration of Controlled Unclassified Information (CUI), and loss of contract eligibility. From a compliance perspective, lack of evidence (logs, policies, test artifacts) is a common audit failure that can result in corrective actions, reputational damage, and loss of federal contracts.
\n\nIn summary, meeting SI.L2-3.14.5 means combining policy, configuration, testing, and recordkeeping: enable and validate on-access scanning, schedule and verify periodic scans, run reproducible tests (EICAR), collect and retain logs and remediation tickets, and document exception handling. Use the evidence checklist above to prepare a concise, reproducible package for assessors and to maintain continuous assurance within your Compliance Framework program.
", "plain_text": "This post explains how to test, validate, and document periodic scans and on-access file scanning to meet NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 control SI.L2-3.14.5 for small-to-midsize organizations, with a practical evidence checklist, test steps, and real-world examples that you can use during an assessment or internal audit.\n\nUnderstanding the control and practical scope\nSI.L2-3.14.5 requires organizations to ensure systems are scanned for malicious code using both periodic (scheduled) and on-access (real-time) scanning. For Compliance Framework implementation this means: document the scanning policy and scope (endpoints, servers, removable media, cloud storage), configure tools for signature and heuristic detection, enable on-access scanning by default, schedule full and targeted scans, and retain artifacts that prove scans ran and detections were handled.\n\nHow to test and validate scanning behavior\nTesting should include automated evidence gathering and manual validation. Automated evidence: console screenshots of management platforms (EDR/AV), export of scan logs, signature/version update history, scheduled task definitions, and SIEM/Log aggregator entries with relevant timestamps. Manual validation: deploy a known-good test file (EICAR) and verify it is detected, quarantined, or blocked; copy/move test files to network shares and removable media to confirm on-access scanning triggers; and review detection-to-remediation tickets to confirm workflow.\n\nPractical test steps (step-by-step)\nSample step sequence auditors like to see: 1) Review AV/EDR policy doc that defines scanning cadence and scope. 2) On a Windows workstation, run: Get-MpComputerStatus (PowerShell) to capture engine version & last update; run MpCmdRun.exe -SignatureUpdate if needed and show timestamps. 3) Drop an EICAR test string into Downloads and document Defender or EDR alert, show quarantine folder or console event, and capture the SIEM alert. 4) On a Linux file server with ClamAV: show clamscan/clamdscan scheduled cron job, run clamscan --infected --recursive /path and capture /var/log/clamav/clamav.log output. 5) For cloud file stores (Box/OneDrive/SharePoint) show CAS or cloud scanning configuration and an example detection event.\n\nEvidence checklist you should collect\nCollect and organize evidence using these items (store with timestamps and contextual notes):\n\n Policy and procedure documents that define periodic scan frequency, scope, and on-access scanning requirements.\n Configuration screenshots and export of AV/EDR policy settings showing on-access scanning enabled and scan schedules.\n Signature/engine update logs showing automatic updates and last successful update (e.g., Defender: Get-MpComputerStatus; ClamAV: freshclam logs).\n Scheduled task or cron entries for periodic scans and their outputs (stdout/stderr or exported logs).\n Scan result logs showing timestamps, infected file names, action taken (quarantine/delete), and remediation ticket IDs.\n SIEM or log-aggregation entries correlating detection events with endpoint IDs, user IDs, and network location.\n Proof of negative tests: EICAR detection records, and screenshots or video of the detection and quarantine action.\n Exception approvals and change control records for any disabled on-access scanning or whitelists (with business justification).\n Retention records showing logs retained per policy (include storage location and retention period).\n\n\nReal-world small business scenarios & implementation tips\nScenario A: A 50-user engineering firm uses Microsoft Defender for Endpoint and SharePoint for CUI; evidence collection should focus on Defender console exports, SharePoint DLP and CAS scanning settings, and tenant audit logs. Scenario B: A small manufacturer uses mixed Windows and Linux servers; centralize logs using a lightweight SIEM (Splunk/ELK/Graylog) and create scheduled ClamAV scans on NFS shares. For small businesses, leverage built-in tooling (Windows Defender, OS-level cron jobs, free EDR trials) to meet coverage without heavy investment.\n\nCompliance tips, pitfalls, and best practices\nBest practices include: automate evidence exports weekly, tag evidence with system identifiers and hash values, and keep a run-book of auditor test accounts and reproducible test steps. Avoid common pitfalls such as: documenting scanning without evidence of it actually running, whitelisting broadly without approvals, or failing to show detection-to-remediation workflows. Keep signature updates frequent (daily or more), and retain logs for the period your organization’s policy requires — a common baseline is 1 year for critical detection logs.\n\nRisks of not implementing effective periodic and on-access scanning\nWithout this control properly implemented, organizations risk persistent malware on endpoints and servers, undetected lateral movement, data exfiltration of Controlled Unclassified Information (CUI), and loss of contract eligibility. From a compliance perspective, lack of evidence (logs, policies, test artifacts) is a common audit failure that can result in corrective actions, reputational damage, and loss of federal contracts.\n\nIn summary, meeting SI.L2-3.14.5 means combining policy, configuration, testing, and recordkeeping: enable and validate on-access scanning, schedule and verify periodic scans, run reproducible tests (EICAR), collect and retain logs and remediation tickets, and document exception handling. Use the evidence checklist above to prepare a concise, reproducible package for assessors and to maintain continuous assurance within your Compliance Framework program." }, "metadata": { "description": "Step-by-step guidance and an evidence checklist to test, validate, and document periodic and on-access file scanning to satisfy NIST SP 800-171 Rev.2 / CMMC 2.0 L2 SI.L2-3.14.5 requirements.", "permalink": "/how-to-test-validate-and-document-periodic-scans-and-on-access-file-scanning-evidence-checklist-for-nist-sp-800-171-rev2-cmmc-20-level-2-control-sil2-3145.json", "categories": [], "tags": [] } }