This post explains how small businesses can implement both periodic and real-time file scans to satisfy FAR 52.204-21 and CMMC 2.0 Level 1 control SI.L1-B.1.XV, with practical steps, low-cost tool recommendations, sample commands, evidence collection tips, and real-world scenarios tailored to small IT environments.
Why periodic and real-time file scanning is required and what it protects
FAR 52.204-21 requires contractors to protect Federal Contract Information (FCI) and CMMC 2.0 Level 1 maps to basic cyber hygiene; SI.L1-B.1.XV emphasizes detecting and responding to malicious code and unauthorized changes through periodic and on-access scanning or file integrity monitoring (FIM). For a small business this means establishing consistent automated checks so malware, script-based attacks, or accidental file tampering are detected quickly and can be demonstrated in an audit.
Practical implementation overview for Compliance Framework
Start by scoping systems that store or process FCI, select a combination of scheduled (periodic) scans and on-access (real-time) protections, implement FIM for critical files, centralize logs for proof, and document a maintenance cadence. Use affordable or built-in technologies where possible (native OS protections, open-source agents) and complement with lightweight monitoring or managed services if budget allows.
Step 1 — Inventory and scope your environment
Identify endpoints, servers, NAS, cloud storage, and removable media that can store FCI. Create a short inventory spreadsheet listing OS, location of FCI, owner, and whether that host will have an agent installed. For small businesses, often 10–50 endpoints can be inventoried in a single day; this inventory determines where scans must run and what file paths or extensions require tighter monitoring (for example, directories with contracts, invoices, or technical deliverables).
Step 2 — Implement periodic (scheduled) scans
Periodic scans catch dormant malware and check file sets for suspicious content. On Linux use ClamAV with freshclam for signature updates and a cron job like: "clamscan -r --infected --log=/var/log/clam_scan.log /srv/data" scheduled nightly. On Windows use the built-in Microsoft Defender engine and create a scheduled task invoking MpCmdRun.exe -Scan -ScanType 2 for a full scan weekly; keep the Defender signature updates enabled. For cloud-stored files, schedule server-side scans when files are uploaded (e.g., use a lambda function to call an antivirus scanning API or integrate with your cloud provider’s scanning tool). Record the scan start/stop times, results, and signature version in a log file for audits.
Step 3 — Enable real-time scanning and file integrity monitoring (FIM)
Real-time protection prevents execution of known malware and alerts on file changes. On Windows, ensure Microsoft Defender real-time protection and cloud-delivered protection are enabled; for macOS consider Malwarebytes or built-in XProtect plus a lightweight FIM agent. For Linux servers, enable on-access scanning where supported or use FIM with Wazuh or Tripwire Open Source; enable the Wazuh syscheck module and set syscheck_interval (for example, 7200 seconds) to monitor critical paths like /etc, /var/www, and application config directories. For filesystem events, inotifywait (inotify-tools) can watch directories and trigger scripts to log or quarantine new/modified files. Use osquery to track unexpected binaries or changes to startup scripts. Combine on-access antivirus with FIM to detect both known malware and unauthorized file changes.
Step 4 — Centralize logging, alerting, and evidence collection
Compliance evidence for FAR/CMMC requires you show scans ran, results, and incident responses. Ship scan logs and FIM alerts to a central location — a simple syslog server or free tiers of cloud log services work for small shops. Configure agents to forward logs using rsyslog or the agent’s built-in forwarder, and retain logs for the period your policy requires (commonly 90 days minimum). Build a weekly scan report that includes signature versions, number of infected files found/quarantined, and any FIM alerts. Keep screenshots or exported logs for each scheduled scan run to make audit evidence straightforward.
Step 5 — Test, tune, and maintain
Run test scenarios quarterly: deploy a benign test file (EICAR) in scoped directories to ensure both periodic and real-time scanning detect it; simulate a changed config file and verify FIM alerts. Tune exclusions carefully to avoid blind spots (exclude large backup blobs but not directories with FCI). Ensure signature and agent updates are automated (freshclam cron, Defender automatic updates). Train at least one staff member on how to quarantine, investigate, and document a finding; attach an incident response stub to each FIM/AV alert so auditors see an established process.
Compliance tips, low-cost tool suggestions, and risks of non-implementation
Low-cost tools: use Microsoft Defender (built into Windows), ClamAV for Linux, Wazuh for FIM and centralized alerts, osquery for lightweight endpoint checks, and inotify-tools for simple file event triggers. If you can invest a small recurring fee, consider managed detection for SMBs (many providers offer plans under $20/user/month) which simplifies evidence collection. Best practices: document policies, record signature versions, keep a clear scan schedule, and avoid blanket exclusions. The risk of not implementing these controls includes undetected malware, data exfiltration of FCI, breach notification costs, contract loss or suspension, and failing FAR or CMMC audits—which can be existential for small contractors dependent on federal work.
In summary, meeting FAR 52.204-21 and CMMC 2.0 Level 1 SI.L1-B.1.XV is achievable for small businesses with a structured approach: scope systems that handle FCI, deploy scheduled scans and on-access/FIM protections using built-in or open-source tools, centralize logs for evidence, test regularly, and document the entire process. With modest effort and low-cost tools you can reduce risk, create audit-ready evidence, and maintain eligibility for federal contracting.
