This post explains, in practical terms, how to collect and present evidence that your environment protects against malicious code to satisfy FAR 52.204-21 and CMMC 2.0 Level 1 (Control - SI.L1-B.1.XIII), with templates, real-world small-business examples, and step-by-step implementation advice you can use immediately.
What the Control Requires (practical interpretation)
At a practical level this control expects you to demonstrate that you have deployed and maintained anti‑malware/protection measures across systems that process or store federal contract information (FCI) — including up‑to‑date endpoint protection, scanning of files and email, detection and quarantine of malicious artifacts, and logging of those activities so an auditor can verify ongoing operation. For small businesses the focus is on showing consistent configuration, evidence of updates/signature refreshes, and logs or reports that prove scans and quarantines occurred.
Types of Evidence Auditors Expect
Typical artifacts auditors want to see include: the anti‑malware policy or an excerpt stating scanning/update requirements; an export from the EPP/EDR console showing agent version and last signature/definition update (ISO 8601 timestamp); recent scan logs (daily or weekly full scan schedule and results); quarantine/exported malware hashes (e.g., SHA-256) and handling notes; SIEM or syslog records of detection alerts and response actions; proof that email/web gateway scanning is enabled; and a mapped evidence index that ties each artifact to the control requirement.
Practical Implementation Steps (Compliance Framework)
Start with a simple control map: list control SI.L1-B.1.XIII and map it to the concrete artifacts you will produce. Then implement these technical items: deploy an endpoint protection platform (EPP) with automatic daily signature updates (or cloud-based engines with continuous updates); enable real‑time on‑access scanning and scheduled weekly full scans; deploy lightweight EDR if feasible to capture process-level telemetry; configure the email gateway to block or tag attachments and to forward detection logs; centralize logs via syslog/SIEM (forward EPP/EDR events) and keep exports for at least the retention period required by your contract (common practice: 90–365 days); and enforce that administrative consoles require MFA and role‑based access for auditability.
Technical specifics to document
When you collect artifacts, include technical details: product and version (e.g., "AcmeAV v5.2.1"), agent build and deployment count, definition/signature version and timestamp, scan schedule and last successful run time, quarantine list with file paths and SHA‑256 hashes, exported log snippets showing detection IDs and action taken, and a Syslog or SIEM entry with the event ID and timestamp. Save exports in immutable format (PDF/CSV) and generate a digest (SHA‑256) of each export file to show integrity.
Small Business Example Scenario
Example: a 30‑person engineering consultancy using managed workstations and two Windows servers. Implementation included: centralized EPP (console hosted by MSP), scheduled full scans Sundays 02:00, on‑access scanning enabled, average definition update frequency every 4 hours, quarantine exports monthly, and SIEM retention set to 180 days. For an audit, they produced: the EPP policy PDF, a console screenshot with timestamp and agent inventory, a CSV export of quarantine events for the last 90 days with SHA‑256 hashes, a SIEM search showing matching detection events with timestamps and responder notes, and an indexed evidence spreadsheet mapping each artifact to SI.L1-B.1.XIII.
Evidence template (use for each artifact)
Evidence Title: Anti-Malware Agent Inventory and Updates Control Mapped: SI.L1-B.1.XIII Owner: IT Operations - itops@example.com Collection Method: Export from EPP Console -> Agents Report (CSV) + Screenshot (console header showing timestamp) Timestamp of Export: 2026-04-10T14:05:32Z Location (stored): /evidence/security/epp/2026-04-10_agents_report.csv How it demonstrates control: Shows deployed agents, last contact, and signature version demonstrating up-to-date protection Retention: 365 days (per contract) Integrity Hash: SHA256: 3b9f... (stored with file) Notes: Exported to read-only archive; screenshot annotated with evidence ID EVID-2026-04-EPP-001
Compliance Tips and Best Practices
Label and index every artifact—give each a unique evidence ID and a short explanation that ties it to the control; auditors appreciate the map more than raw dumps. Use automated exports and retain them in a WORM or versioned repository so you can produce consistent historical evidence. Time‑stamp screenshots with system time and include visible console headers (product + timestamp). When possible, collect both machine-readable exports (CSV/JSON) and human‑readable PDFs with the same content. Hash exported files and record the hashes in your evidence index to prove integrity.
Risk of Not Implementing or Documenting Properly
Failing to implement or document malicious code protection increases risk of successful malware incidents (data theft, ransomware) and can result in failing FAR or CMMC audits, loss of federal contracts, mandatory remediation orders, and reputational damage. From a technical perspective, incomplete logs or missing agent coverage will make it impossible to prove protections were operating during an incident window, which can trigger deeper forensic requests and higher remediation costs.
Summary: To satisfy FAR 52.204-21 and CMMC 2.0 Level 1 SI.L1-B.1.XIII, small businesses should implement consistent endpoint and gateway protections, centralize logs, and produce an indexed set of artifacts (policy, exports, quarantine lists, SIEM events, screenshots) annotated with timestamps, owners, and integrity hashes; using the template above will help you standardize evidence collection and present a clear, auditable trail to assessors.
