This post explains pragmatic, auditable steps to configure antivirus, web filtering, and endpoint detection and response (EDR) to meet FAR 52.204-21 and CMMC 2.0 Level 1 control SI.L1-B.1.XIII (Code 556) under the Compliance Framework, focusing on real-world settings for small businesses and the documentation youâll need for an assessor.
Implementation overview and required mapping
Start by mapping the control to your Compliance Framework artifact: SI.L1-B.1.XIII (Code 556) requires preventing, detecting, and responding to malicious code and unauthorized internet contentâthis is satisfied by layered controls (antivirus/endpoint protection, EDR, and web filtering) plus documented baselines and evidence of enforcement. Actionable first steps: inventory endpoints (workstations, servers, laptops), list internet egress points, and select solutions that support centralized policy, logging, and exportable reports (examples: Microsoft Defender for Endpoint + Intune + Azure DNS filtering, CrowdStrike + Cisco Umbrella, or SentinelOne + Proxy/Firewall URL filtering).
Antivirus / endpoint protection configuration (practical details)
Configure antivirus with these baseline settings: real-time on-access scanning enabled; signature and engine updates set to automatic (at least every 24 hours); scheduled full system scans weekly and quick scans daily; heuristic/behavioral scanning enabled; automatic quarantine for high-confidence detections; and tamper protection where supported. For Windows-heavy small businesses, a common low-cost baseline is Microsoft Defender with centralized policies via Intune: enable Cloud-Delivered Protection, Real-Time Protection, Controlled Folder Access (if compatible), and block execution from commonly abused directories (e.g., %TEMP%, AppData\Local\Temp). Document the policy names and export policy JSON/policy assignment reports as evidence.
EDR configuration (technical specifics and response actions)
EDR must provide richer telemetry and automated response. Configure the EDR agent on all managed endpoints (target 100% coverage for regulated endpoints), set telemetry to âfullâ or âdetailedâ (not minimal), enable prevention mode (if available) to block known bad behaviors, and enable automatic containment (network isolation) on high-fidelity alerts. Key settings: sensor auto-update, tamper protection, enable automated submission of suspicious files (with privacy considerations), and enforce least-privilege for the EDR management console (role-based access). Configure alerting thresholds and a triage playbook: e.g., high-severity malware triggers immediate isolation, medium-severity triggers quarantine + analyst review within 4 hours. Retain EDR logs for at least 90 days (adjust per contract requirements) and export incident reports as artifacts for auditors.
Web filtering and network controls (DNS/HTTP(S) specifics)
Web filtering should block malicious and high-risk categories (malware, phishing, command-and-control, suspicious downloads) and be enforced at multiple layers: DNS filtering (Cloud DNS, Cisco Umbrella, or Pi-hole with blocklists), perimeter proxy/firewall URL filtering, and browser-level policy. For small businesses without a full proxy, a DNS filter plus endpoint browser controls is acceptableâensure HTTPS inspection policy addresses privacy and performance, and document exceptions. Practical settings: block executable downloads from untrusted sites, block or require review for âfile shareâ categories, apply strict rules for remote workers (enforce VPN split-tunnel policies or use Always On VPN), and maintain a documented allowlist for essential SaaS endpoints. Log DNS requests and web events and store them centrally for correlation with EDR alerts.
Operationalization: deployment, logging, testing, and evidence
Operationalize by creating a deployment playbook: (1) pilot on 5â10 endpoints, (2) tune policies to reduce false positives, (3) deploy to production in waves, and (4) verify via endpoint inventory and EDR console. Collect artifacts for compliance: export policy configuration files, agent deployment reports, console screenshots showing policy assignment, quarantine logs, and sample incident tickets. Integrate logs into a central collector or SIEM (even a cloud-based syslog sink) and retain logs per policy. Test effectiveness monthly: use EICAR for antivirus detection (in safe lab), use URL category test pages, and run tabletop incident response for one medium/high detection to demonstrate containment and remediation.
Small-business examples: (A) A 25-seat design agency uses Microsoft 365 Business Premium + Defender: they enforce Defender policies via Intune, use Azure DNS filtering to block known malicious categories, and configure Defender for Endpoint to isolate endpoints automatically on confirmed ransomware signatures. Evidence: Intune device compliance reports, Defender incident exports, and Azure DNS query logs. (B) A 12-person consultancy uses a managed SOC partner: the partner deploys CrowdStrike Falcon agents, configures Umbrella DNS filtering, forwards alerts to the MSPâs SIEM, and provides monthly reports and a playbook that the client stores in their compliance binder.
Risks of not implementing these configurations include successful phishing/malware infections leading to data exfiltration or lateral movement, loss of DoD contracts for FAR noncompliance, reputational damage, and expensive incident response. Best practices: enforce tamper protection and least privilege, document baselines and change control, establish an incident playbook with SLAs, schedule monthly review of console alerts, and include awareness training so users understand web filtering blocks and safe behavior. For auditors, provide clear mappings from policy artifacts to the Compliance Framework controlâannotate exported policies with the control ID and include dates of deployment and tests.
Summary: to satisfy FAR 52.204-21 / CMMC 2.0 Level 1 SI.L1-B.1.XIII (Code 556) you need layered, centrally-managed antivirus, EDR, and web filtering with documented baselines, automated updates, full endpoint coverage, logging/retention, and regular testing; for small businesses this is achievable using built-in platform tools (Microsoft Defender/Intune + DNS filtering) or cost-effective managed servicesâcapture configuration exports, logs, and test evidence, and maintain an incident playbook and change log to demonstrate continuous compliance.
