This implementation checklist explains how to meet the periodic information system scanning and real-time file scanning requirement in FAR 52.204-21 and CMMC 2.0 Level 1 Control SI.L1-B.1.XV, with practical steps and small-business examples tailored to the Compliance Framework. The goal is to provide clear, actionable guidance—what to install, how to configure scans, how often to run them, what evidence to collect, and how to reduce operational impact while preserving auditability.
Implementation checklist overview
At a high level, implement this control by: 1) inventorying assets and classifying data (FCI/other), 2) selecting and deploying real-time file-scanning software (antivirus/antimalware/EDR) on all endpoints and servers, 3) scheduling periodic information-system scans including vulnerability and integrity scans, 4) logging and retaining scan reports for audit, and 5) integrating remediation workflows. For Compliance Framework alignment, document each step, record configuration baselines, and produce periodic evidence tied to the control SI.L1-B.1.XV.
Inventory and tool selection
Start with an authoritative asset inventory (workstations, servers, mobile devices, network-attached storage). For small businesses, viable tool combinations include Microsoft Defender for Business/Endpoint (Windows), built-in macOS XProtect + third-party EDR (Macs), ClamAV or commercial AV on Linux servers, and a lightweight vulnerability scanner such as OpenVAS/GVM or a SaaS scanner (Qualys, Rapid7). Choose tools that support: on-access scanning, scheduled full/quick scans, signature and engine auto-updates, archive and removable-media scanning, and centralized policy management (MDM or management console). Document vendor, version, and configuration baseline as compliance evidence.
Configuring real-time file scanning
Configure real-time (on-access) scanning to inspect files on create/open/execute and scan common archive formats (.zip, .tar.gz, .7z). Ensure definitions and detection engines auto-update daily; for zero-day mitigation enable heuristic/behavioral detection where available (EDR). Exclude only trusted directories such as virtualization images and backup repositories (explicitly document exclusions and justification). For Windows, enable scanning of NTFS Alternate Data Streams and scans of removable drives; for Linux, configure clamdscan/clamd with freshclam updates and integrate with systemd for on-access scanning where supported. Capture screenshots or exports of policy settings for audit evidence.
Scheduling periodic information system scans
Define scanning cadence based on risk: quick daily scans on endpoints, full weekly scans for endpoints, authenticated vulnerability scans of servers and network devices at least monthly, and external attack-surface scans quarterly. For internet-facing assets run authenticated and unauthenticated scans; for internal systems prefer credentialed scans to detect missing patches. Schedule full scans during off-hours to reduce user impact and stagger scans so network saturation is avoided. Retain scan reports (PDF/CSV) and note remediation status in vulnerability-tracking tickets as evidence of compliance.
Integration, logging, and remediation workflow
Forward antivirus and scan events to a central log collector or lightweight SIEM (Splunk, Graylog, Elastic, or cloud alternatives). Keep an evidence trail: automatic signature-update logs, scan schedules, scan results, and closure tickets. For each detected finding define SLA-driven remediation steps: immediate quarantine for malware, patch and re-scan for vulnerabilities, and follow-up verification scans. For small teams integrate logs into a shared ticketing system (Jira/ServiceNow/Ticketing) with scan report attachments and remediation notes to demonstrate continual compliance.
Small-business real-world examples
Example 1: A 15-person DoD subcontractor used Microsoft Defender for Business centrally managed via Intune; daily quick scans, weekly full scans scheduled overnight, and monthly authenticated OpenVAS scans of internal servers. They documented Defender policy exports, scheduled scan reports, and remediation tickets in their compliance binder. Example 2: A mixed-OS shop with 8 employees used CrowdStrike Falcon for real-time protection, ClamAV on Linux web servers with freshclam cron jobs, and a SaaS vulnerability scanner for quarterly external scans—providing vendor reports and screenshots as evidence for FAR 52.204-21.
Risks of non-implementation and practical best practices
Failing to implement periodic and real-time scanning increases risk of ransomware, undetected malware, credential theft, data exfiltration, and loss of DoD contracts or suspension under FAR. Practical best practices: enforce auto-updates, keep a minimal exclusion list, perform periodic scan tuning to reduce false positives, maintain offline backups tested for restoration, and run tabletop incident-response drills. For Compliance Framework maturity, keep a change log whenever scanning policies are modified and ensure at least 90 days of log/scan-report retention (longer if contractually required).
Implementing this control is not just installing software—it requires documented configuration baselines, repeatable scanning schedules, integrated logging and ticketing for remediation, and preserved evidence for auditors. With inexpensive tooling and disciplined processes, small businesses can meet FAR 52.204-21 and CMMC 2.0 Level 1 SI.L1-B.1.XV while minimizing operational disruption.
