This post gives a practical, step-by-step compliance checklist and implementation guidance for deploying real-time file scans on downloads and executions to meet the intent of FAR 52.204-21 and CMMC 2.0 Level 1 Control SI.L1-B.1.XV, tailored for organizations using the Compliance Framework. The goal is to provide actionable configuration tips, testing procedures, and audit evidence approaches that a small business can apply immediately to reduce malware risk and produce compliance artifacts for assessments.
Quick Compliance Checklist (High-level)
Use this concise checklist as your roadmap—each item below should map to documented policies, configurations, and evidence retained for audits:
- Policy: Create/update a written "On-access/On-download Scanning" policy that references SI.L1-B.1.XV and FAR 52.204-21 requirements (who, what, when, exceptions).
- Tool selection: Choose an endpoint/EDR + gateway scanning stack that supports on-access (on-execute) and on-download scanning (web/email/proxy integration).
- Configure real-time (on-access) scanning on all endpoints to scan at execution/open and on new file arrival.
- Configure proxy/web gateway/Email Security (ICAP/AM/NGFW integration) to scan files at download and quarantining rules for high-risk detections.
- Define and document quarantine/block action policies, whitelist processes (hash/path), and update cadence for detection signatures/AI models.
- Enable detailed logging/forwarding to SIEM and set up alerting for detections and scan failures; retain logs per contract/audit retention policy.
- Test and validate with repeatable test cases (EICAR, malicious-sample simulation, archive/extraction tests) and record results.
- Train staff and document exceptions/change control for any exclusions.
Implementation Notes — Technical Details and Configurations
For Compliance Framework environments, focus on two technical controls: (1) on-access scanning at execution (endpoint) and (2) on-download scanning at gateway/proxy. On Windows, use enterprise AV/EDR (Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne) and enable real-time protection, on-execute scanning, and cloud-delivered protection. Configure kernel/driver-based file system hooks (default in enterprise EDR) so files are scanned before execution. On Linux, implement fanotify-based on-access scanning (e.g., OSSEC integrations or vendor agents) or use an EDR that supplies kernel-level hooks; for macOS, enable vendor endpoint agents that use the Endpoint Security framework for pre-exec checks.
For web/email downloads, integrate scanning via ICAP or APIs with your secure web gateway (SWG) or proxy (e.g., Squid + C-ICAP + ClamAV or commercial SWG). Configure the SWG to scan archives and nested files — set a practical archive depth (e.g., depth 3) and max extracted file size to balance detection vs performance. For cloud storage (OneDrive/SharePoint/Google Drive), enable cloud-app CASB or native scanning integrations where available; many CASBs provide inline download scanning or a post-download quarantine workflow.
Small-business practical examples
Example 1 — Windows/Intune + Defender: Use Microsoft Intune to push a Defender policy enabling "Real-time protection", "Scan downloaded files and attachments", and "Cloud-delivered protection". Set "Blocked actions" for severe detections and configure quarantine retention to 90 days. Collect Defender ATP event logs via Microsoft Sentinel or a lightweight syslog forwarder for audit evidence.
Example 2 — Proxy + ICAP + ClamAV (low-cost): Deploy Squid as your proxy and integrate C-ICAP with ClamAV/ClamD for scanning. Configure Squid to send downloads to the ICAP server. Add rules to block downloads with high-confidence detections, and log the filename, source URL, source user, and verdict to a central log server. Maintain a documented exception process for false positives with hash-based whitelisting and change control tickets.
Testing, Validation, and Evidence Collection
Test with EICAR test files and simulated malicious payloads (in a controlled lab). Validate three core scenarios: (1) web/email download is scanned and blocked/quarantined, (2) file copied to endpoint is scanned on write, and (3) file executed triggers an on-access scan before execution. Capture screenshots, SIEM/EDR logs showing detection events (timestamp, user, host, file hash, action taken), and provide a simple test-run playbook with pass/fail results. Keep test logs and change control records as evidence for assessors.
Risks, Consequences, and Why This Matters
Failing to implement real-time scans on downloads and executions increases the risk of initial malware footholds, ransomware encryption events, and data exfiltration. From a compliance standpoint, lack of controls or missing evidence can result in FAR noncompliance, contract penalties, and failed CMMC assessments that jeopardize DoD contracts. Operational impacts include increased incident response workload, longer recovery time objectives (RTOs), and potential reputational damage.
Compliance Tips and Best Practices
Keep these practical tips in your implementation plan: maintain signature and engine updates on an hourly-to-daily cadence for cloud engines and at least daily for local engines; apply least-privilege for quarantine management; instrument false-positive workflows (hash allowlist + documented justification + TTL); monitor scan performance metrics to avoid user experience degradation (e.g., exclude large media files from on-execute scanning but scan them on download); and centralize logs in a SIEM with searches for "on-access scan failures" and "scan engine update failures".
In summary, meeting SI.L1-B.1.XV for FAR 52.204-21 is achievable for small businesses by combining policy, endpoint EDR/AV real-time protection, gateway-level download scanning, documented testing, and retained evidence. Follow the checklist, use the technical configurations and examples above, and produce repeatable test records and logs to demonstrate ongoing compliance.
