How to create an anti‑malware implementation checklist and evidence package for FAR 52.204-21 / CMMC 2.0 Level 1 - Control - SI.L1-B.1.XIII

This post gives a practical, step‑by‑step guide to build an anti‑malware implementation checklist and an evidence package you can use to demonstrate compliance with FAR 52.204-21 and CMMC 2.0 Level 1 (SI.L1-B.1.XIII) for small business environments operating under the Compliance Framework.

Why the anti‑malware control matters (risk and objective)

The objective of the control is straightforward: prevent and detect malicious code on contractor systems that store or process Federal Contract Information (FCI) or Controlled Unclassified Information (CUI). The risk of not implementing and documenting anti‑malware adequately includes malware outbreaks, data exfiltration, contract noncompliance, suspension from contracting opportunities, and potential regulatory penalties. For small businesses, a single infected endpoint can rapidly spread to servers or cloud storage and cause disproportionate operational and reputational damage.

What to include in your anti‑malware implementation checklist

A compliance checklist translates policy into repeatable technical tasks. Keep it concise, mapped to the Compliance Framework, and executable by IT staff or an MSP. Minimum checklist items:

• Policy and scope: anti‑malware policy signed by management; scope listing systems (endpoints, servers, cloud instances).
• Inventory: asset list showing hostname, OS, IP, owner, and whether the anti‑malware agent is installed.
• Deployment status: centralized console screenshots showing agent health and coverage percentage.
• Configuration baseline: documented settings (real‑time protection ON, automatic updates ON, weekly full scans, quarantine action, exceptions documented).
• Update cadence: signature and engine update schedule, with evidence of automatic updates.
• Incident linkage: integration pointers to IR plan and SIEM (or log retention) and where quarantine artifacts are stored.
• Exception and change control records: approved deviations with risk acceptance and expiry dates.

What to gather for the evidence package (artifacts and how they map)

Structure evidence so each checklist item maps to one or more artifacts. Use consistent filenames, timestamps, and a simple manifest.csv that lists artifact name, control mapped, collector, and hash (SHA256). Recommended artifacts:

1. Signed anti‑malware policy PDF (policy_v1_2026-04-01.pdf).
2. Asset inventory CSV (assets_2026-04-01.csv) exported from your CMDB or Intune/MDM console.
3. Management console screenshots and export (console_report_coverage_2026-04-01.pdf or CSV).
4. Endpoint configuration outputs:
   • Windows: PowerShell output files from Get-MpPreference and Get-MpComputerStatus (win_getmp_*.txt).
   • macOS/Linux: agent status output and package versions (mac_status_*.txt, linux_clamav_status_*.txt).
5. Update logs showing successful signature and engine updates (update_log_*.log).
6. Sample quarantine evidence: quarantined file metadata with MD5/SHA256, quarantine timestamp, and analyst notes (quarantine_sample_*.json).
7. Incident handling linkage: ticket from the IR system showing malware detection -> containment -> remediation (ticket_1234.pdf).
8. Change control or exceptions docs with approvals (exception_allowlist_2026-04-01.pdf).
9. Manifest and checksum file (manifest_2026-04-01.csv and manifest_2026-04-01.sha256).

Practical technical details: commands and configuration

Include concrete, machine‑readable evidence when possible. Examples of commands and outputs to collect:

• Windows Defender: run PowerShell Get-MpComputerStatus | Out-File win_getmp_status.txt and Get-MpPreference | Out-File win_getmp_pref.txt. These show service state, update status, signatures, and real‑time protection.
• Signature update: record outputs of MpCmdRun.exe -SignatureUpdate or schedule a Windows Update log showing the last successful signature pull.
• Linux with ClamAV: systemctl status clamav-daemon; clamscan --version and freshclam logs stored under /var/log/clamav/.
• EDR/AV console: export CSV of agent status (last check‑in, version, quarantine count) from your vendor console (e.g., CrowdStrike, Microsoft Defender for Endpoint, Sophos Central).

How to collect, preserve, and present evidence

Collect artifacts into a time‑stamped evidence folder and generate a manifest that maps each artifact to the checklist item and control. Preserve integrity by computing SHA256 checksums immediately after collection and store the manifest in both the evidence folder and your secure document repository. Keep a chain‑of‑custody note for any forensic files (quarantine samples) and redact any irrelevant PII before submission. For small businesses with limited tooling, use scripted exports (PowerShell, bash) to ensure repeatability and reduce human error.

Small business scenario: 25 endpoints, 1 file server, hybrid cloud

Example implementation: Choose a single vendor that supports Windows/macOS/Linux and offers a central console (or pair Microsoft Defender for Endpoint + Intune). Deploy agents via Intune or Group Policy; verify installation by pulling an agent‑inventory CSV. Configure a baseline: real‑time protection enabled, all definitions auto‑update, weekly full scans at 02:00 on weekends, quarantine action configured to "Quarantine and notify." Collect evidence by exporting the Intune device list, Defender export reports, and a few representative PowerShell outputs from client machines. For cloud storage, show scanning for storage buckets (vendor scan logs) and any serverless scanning hooks. Store the evidence package in an encrypted ZIP with manifest and keep one copy in your secure contract folder and another offline for auditors.

Compliance tips and best practices

Keep these practices in mind: prefer EDR + traditional signature AV for defense in depth; automate evidence collection monthly; rotate the sampled endpoints in your evidence package quarterly so auditors see ongoing compliance rather than a one‑time snapshot; maintain retention (90 days minimum for logs, or longer if contract requires); document exceptions and don't rely on manual screenshots alone — include exports. If you use a Managed Service Provider, require a standard operating procedure (SOP) that lists how they produce the evidence you need and include the MSP contract or statement of work in the package.

In summary, build a concise anti‑malware checklist mapped to the Compliance Framework control, collect machine‑readable artifacts (console exports, configuration outputs, update logs, quarantine records), preserve integrity with checksums and manifests, and automate recurring evidence collection. These steps create a defensible evidence package that demonstrates continuous compliance with FAR 52.204-21 / CMMC 2.0 Level 1 requirements while reducing audit friction for small businesses.