This post gives a practical, actionable walkthrough for implementing malware protection across cloud and on-prem systems to meet FAR 52.204-21 and CMMC 2.0 Level 1 control SI.L1-B.1.XIII, including exact configuration points, small-business examples, logging and evidence requirements, and clear compliance tips.
Overview and applicability
FAR 52.204-21 and CMMC 2.0 Level 1 emphasize basic cyber hygiene: protect systems against malicious code and demonstrate you've done so. Key objectives are (1) deploy malware defenses on all endpoints and compute resources that process Federal Contract Information (FCI), (2) keep protections current with automatic updates, and (3) collect and retain evidence of protection and detections. Implementation notes for small businesses: scope assets (end-user devices, on-prem servers, virtual machines, containers, cloud storage, and email) and document which controls/tools cover each asset so evidence collection maps back to the requirement.
Step-by-step implementation
Inventory and scope assets
Start by creating a concise asset inventory: list all user endpoints, servers, cloud instances, containers, file shares, and SaaS services that store or process FCI. For a 25-person marketing firm this might be: 25 Windows/macOS laptops, 2 on-prem Windows servers (file/print), 3 Azure VMs hosting websites, Office 365 tenant, and one AWS S3 bucket. Tag assets in your inventory with owner, location (cloud/on-prem), and a risk classification (hosts with access to FCI = high priority). This inventory drives where agents or cloud-native protections must be enabled and is your first audit artifact.
Select tools and deployment model
Choose a mix of endpoint protection (EPP) and, where possible, endpoint detection and response (EDR). Recommended stack examples: Microsoft Defender for Business/Endpoint (small businesses on Windows/Office365), CrowdStrike Falcon or SentinelOne (cross-platform EDR), ClamAV or commercial AV for Linux servers, and vendor or cloud-native services for cloud workloads (Azure Defender/Microsoft Defender for Cloud, AWS GuardDuty + EDR agents). For containers, include image-scanning (Trivy/Clair) in CI and runtime monitoring (Falco). Deploy agents via Intune/Group Policy for Windows, Jamf for macOS, configuration management (Ansible/SSM) for Linux, and use automated onboarding scripts for cloud VM scale sets. Document deployment manifests (scripts, GPOs, IaC templates) as compliance evidence.
Baseline configuration and update policies
Implement a hardened baseline: enable real-time protection, cloud-delivered protection, automatic signature and engine updates, and automatic sample submission where permitted. Example Windows Defender GPO/Intune settings: Real-time protection = Enabled; Cloud-delivered protection = Enabled; Automatic sample submission = Enabled; Tamper protection = On; Block at first sight = Enabled; Exclusions limited to documented, justified paths. Scheduling: quick scan daily, full scan weekly; signatures/definitions = automatic (hourly or real-time cloud-delivered). For Linux, configure freshclam to update hourly and schedule a full clamscan weekly, and ensure rkhunter runs weekly. For containers and images, fail the CI pipeline when Trivy finds critical/high malware findings. Record the exact policy JSON/GPO exports for evidence.
Cloud-specific and on-prem specifics
Cloud: enable cloud provider protections and integrate with your EDR. Examples: enable Microsoft Defender for Cloud for Azure VMs, Defender for Office 365 for email, and enable AWS GuardDuty and Amazon Inspector for EC2; attach EDR agents to cloud images (AMI/VM image bake process) to ensure every new instance is protected. Use S3 object scan lambdas or third-party solutions to scan uploads. On-prem: deploy endpoint agents via GPO/Intune and ensure servers running critical services have EDR and malware scanning on file shares. For hybrid setups, centralize policy in your management tool so the same baseline applies to both cloud and on-prem. Capture snapshots of cloud security center settings and EDR console onboarding status for evidence.
Monitoring, logging, and evidence collection
Forward all malware alerts, quarantines, and agent health telemetry to a central location (SIEM or cloud-native logs). Minimum evidence to retain: agent deployment list and versions, policy exports or screenshots (e.g., Defender settings JSON/GPO export), detection logs showing quarantines, timestamps, host identifiers, and remediation actions, and weekly scan reports. Retention: keep alerts and quarantine logs for at least 90 days (longer if contract requires); retain a change log of policy modifications. Configure automated alerts (Slack/email/SOAR) for high-severity detections and document triage procedures and assigned responders.
Risk, compliance tips, and best practices
Risk of non-implementation is material: without malware defenses you face data theft, ransomware, service disruption, loss of FCI confidentiality, contract termination, and potential reporting obligations. Compliance tips: (1) Maintain a short policy (one page) that maps tools/features to the FAR/CMMC control and keep a checklist of evidence items, (2) perform quarterly spot-checks of agent presence and version, (3) restrict exclusions and document justification for each, and (4) conduct tabletop exercises simulating a malware detection to show triage capability. Best practices include automating onboarding in your CI/CD pipeline (bake EDR into golden images), using cloud-delivered protection for near-real-time updates, and integrating detection telemetry into a SIEM for correlation with other indicators.
In summary, meeting FAR 52.204-21 / CMMC 2.0 Level 1 SI.L1-B.1.XIII is a practical program: inventory assets, deploy EPP/EDR and cloud-native protections, enforce a baseline with automatic updates, centralize logging and evidence retention, and document the process. For a small business this can be achieved with managed services (e.g., Microsoft Defender for Business + Defender for Cloud) and straightforward documentation—deliverables that auditors want are the inventory, policy exports, agent deployment lists, and sample detection logs showing quarantines and remediation actions.
