This guide provides a practical, step-by-step approach for small businesses and contractors to deploy anti‑malware at appropriate locations in their environment so they can meet the intent and specific requirements of FAR 52.204-21 and CMMC 2.0 Level 1 control SI.L1‑B.1.XIII — installing and maintaining anti‑malware protections where needed to protect Controlled Unclassified Information (CUI) and government contracts.
How this maps to FAR 52.204-21 and CMMC 2.0 Level 1
FAR 52.204-21 and CMMC 2.0 Level 1 both require basic safeguarding of covered contractor information systems; SI.L1‑B.1.XIII specifically focuses on anti‑malware at “appropriate locations.” Practically this means endpoints, servers that process/store CUI, network perimeters (mail and web gateways), shared file stores, and removable media points must have effective detection and prevention controls. Your documentation should map each asset class to the anti‑malware control and show evidence of installation, configuration, update cadence, and monitoring.
Step 1 — Scope and inventory: know where anti‑malware is required
Start with an asset inventory: enumerate endpoints (Windows/Mac/Linux), on‑prem and cloud servers (IaaS VMs, file shares, NAS), email gateways, web proxies, and removable media use cases. For a small business (e.g., 25 users, one on‑prem NAS, Microsoft 365 tenant), target Windows 10/11 endpoints, domain controllers, the NAS that stores project files, and the mail gateway as minimum. Document which assets store or transmit CUI and include them in scope for SI.L1‑B.1.XIII.
Step 2 — Select appropriate anti‑malware products and placement
Common placements and product types
Choose an endpoint protection platform (EPP) or anti‑malware product for endpoints and servers (examples: Microsoft Defender for Business, Sophos Intercept X, SentinelOne). For mail/web, use gateway scanning (Microsoft Defender for Office 365, Proofpoint, Mimecast) to block malicious attachments and URLs before they reach users. For file shares and NAS, deploy server agents or a network file‑scanning solution that inspects SMB/NFS traffic or scans files on write. For removable media, enforce device control policies and run scans at mount. Small businesses often succeed using bundled solutions (Defender + Defender for Office 365) to reduce management overhead.
Step 3 — Configure strong, auditable settings and update cadence
Configure real‑time scanning, scheduled full scans (weekly) and quick scans (daily), cloud‑delivered protection, and automatic signature/definitions updates (at least daily; real‑time where supported). Set quarantine and automatic remediation actions (delete vs. quarantine based on risk tolerance) and establish exclusions only for known, necessary services (backups, virtualization directories) with documented justification. Use centralized policy enforcement via Intune, Group Policy, or vendor console so you can export policy reports during audits. Enable telemetry and threat reporting at the highest privacy‑acceptable level to capture detections for forensic review.
Step 4 — Deployment, monitoring, and logging
Deploy agents using an RMM tool, domain group policy, or cloud MDM. Verify successful deployment with a rollup report and spot checks. Forward anti‑malware logs and detections to a centralized log repository or SIEM (even a lightweight cloud SIEM or log analytics workspace) — send events such as detection name, file hash, host, user, action taken, and timestamp. For small shops, configure Defender to forward alerts to Microsoft Sentinel or use syslog/CEF export to your managed SIEM provider. Build simple runbooks: isolate impacted host, collect memory/disk snapshot, quarantine file hash, and reset account credentials as needed.
Compliance tips, best practices, and small‑business scenarios
Maintain a one‑page control mapping that ties each asset class to the anti‑malware control, the product used, policy settings, and evidence artifacts (screenshots of console showing agent count, update status, and recent detections). For a 25‑employee contractor: use Microsoft Defender for Business for endpoints, enable Defender for Office 365 for mail, install a lightweight agent on the NAS or schedule daily scans from a jump server, and use Intune for policy pushes — this provides a low‑cost, auditable stack. Regularly test detection using the harmless EICAR test file and simulated phishing/malware drills, and log the test results to your evidence repository. Avoid over‑whitelisting; any exclusion should be time‑boxed and documented in a POA&M (plan of action & milestones).
Risks of not implementing or improperly deploying anti‑malware
Failing to deploy anti‑malware at appropriate locations increases risk of ransomware, data theft, and persistent compromise — outcomes that can lead to contract loss, regulatory penalties, and reputational damage. Specific technical risks include lateral propagation from an infected endpoint to a shared NAS, mailbox compromise via malicious attachments, and undetected exfiltration through allowed but compromised applications. From a compliance standpoint, incomplete deployment or lack of evidence can result in non‑conformance findings during audits and jeopardize eligibility for government work.
In summary, meeting FAR 52.204-21 and CMMC 2.0 Level 1 SI.L1‑B.1.XIII is a practical engineering exercise: inventory assets, select appropriate anti‑malware solutions for endpoints, servers, mail and file stores, configure centralized, auditable policies with frequent updates, deploy via managed tools, and forward detection logs for monitoring and incident response. For small businesses, leveraging integrated vendor suites (e.g., Microsoft Defender family) reduces complexity and cost while providing clear evidence for compliance; document everything, test regularly, and maintain a remediation plan to address gaps quickly.
