Requirement
Show: SI.L1-B.1.XV – Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
This control comes from FAR 52.204-21 / CMMC 2.0 Level 1.
Understanding the Requirement
This control requires that your organization deploys anti-malware capabilities that do two things: run scheduled (periodic) scans across systems at a defined frequency, and perform real-time scans of files that come from external sources when they are downloaded, opened, or executed. You must define the scan frequency, ensure the scheduled scans actually run, and keep real-time file scanning enabled so incoming files are inspected before they can execute. The goal is to prevent malware installation, detect existing malware, and remove or contain infections quickly.
Policies and Procedures Needed
Create concise policies that cover endpoint protection (mandatory anti-malware on all managed workstations and servers), software deployment and configuration standards, device and software inventory (to ensure coverage), update and signature management, exception handling (approved exclusions and temporary bypasses), and incident response steps for malware detections. Tie these into onboarding/offboarding so devices entering or leaving the environment are scanned and configured correctly, and define roles and responsibilities for system/network administrators and staff with security duties.
Technical Implementation
- Deploy an enterprise-grade anti-malware solution to all endpoints and servers using a central management console. Use the console to enforce baseline settings so individual users cannot disable real-time protection.
- Enable real-time (on-access) scanning and explicitly configure it to inspect files from external sources (e.g., downloads, email attachments, removable media). Verify that scanning runs when files are downloaded, opened, or executed, not only on demand.
- Define and schedule periodic full-system scans (for example, a full scan once per week during low business hours) and quicker daily or incremental scans for high-risk systems. Document the frequency and include it in your policy.
- Configure automatic signature and engine updates with a high cadence (at least daily; consider multiple updates per day for threat feeds). Monitor update success and alert when a device fails to receive updates.
- Set quarantine and remediation actions: ensure detected malware is automatically quarantined, generate alerts to a central dashboard or email distribution list, and create automated ticketing or workflows for follow-up investigation and cleanup.
- Use a small pilot group to test configuration changes and exclusions, log scan results centrally (and forward critical events to your SIEM or log collector), and periodically audit coverage against the device inventory to ensure no systems are unmanaged.
Example in a Small or Medium Business
Alice runs IT for a 50-person professional services firm and needs to prevent malware infections that could expose client data. She purchases an enterprise anti-malware product with a cloud management console and deploys the agent to all employee laptops, desktops, and the two file servers. Alice configures the policy to enforce real-time scanning on all endpoints and to specifically scan files as they are downloaded from web browsers, received via email, or opened from USB drives. She sets a full system scan to run every Friday at 5:00 PM and schedules a quick system scan daily at 2:00 AM. Automatic signature updates are configured to run several times per day; failures to update trigger an alert to the IT inbox. When the product quarantines a suspicious file, it creates a ticket in Alice's helpdesk system and notifies the security lead for investigation; false positives are handled through a documented exception request and a short review process. Periodically Alice reviews the management console reports against the asset inventory to confirm all endpoints are protected and updates the policy as new threat information or business needs arise.
Summary
Combining a clear policy that defines scan frequency and responsibilities with a centrally managed anti-malware deployment provides the controls required by SI.L1-B.1.XV. Real-time scanning of files from external sources blocks many threats before they execute, while scheduled full and incremental scans detect dormant or missed infections. Automated updates, centralized logging, quarantine actions, and an incident workflow ensure detections are handled promptly and that your SMB maintains measurable, auditable coverage across its environment.
