This guide shows how to implement both periodic and real-time file scanning in a small-business environment to meet the intent of FAR 52.204-21 and CMMC 2.0 Level 1 control SI.L1-B.1.XV, with concrete steps, configuration examples, and audit-ready evidence practices tailored for a "Compliance Framework" implementation.
Overview: what the requirement means for your environment
FAR 52.204-21 and CMMC 2.0 Level 1 SI.L1-B.1.XV require contractors handling government information to detect and respond to malicious code and suspicious file changes by using scanning techniques that run continuously (real-time) and on a scheduled basis (periodic). For the Compliance Framework context this typically maps to: deploy agents or services that scan files for malware and integrity changes; schedule full-system or repository scans at appropriate intervals; and retain logs and evidence to show scans ran and incidents were handled.
Step-by-step deployment
1) Inventory and scope
Start by creating an asset inventory mapped to the Compliance Framework categories: endpoints (Windows, macOS, Linux), servers, file shares (on-prem SMB/NFS), cloud storage (S3, Azure Blob, Google Cloud Storage), and build/deploy pipelines. Tag each asset by whether it stores or processes Controlled Unclassified Information (CUI) or other sensitive data. For a small business, a spreadsheet or simple CMDB is fine; include OS, IP range, owner, and business-criticality. This will determine where you must install real-time agents and where periodic scans suffice.
2) Choose tools and architecture
Pick a combination of real-time anti-malware/EDR agents for endpoints and periodic scanners for bulk repositories. Practical tool options for small businesses: use Microsoft Defender for Endpoint or built-in Windows Defender for Windows hosts; for Linux servers, use ClamAV + clamav-daemon for periodic scans and Wazuh/OSSEC for real-time file integrity monitoring (FIM); for cloud object stores, use an S3-scanning Lambda (ClamAV or vendor-managed scanners) or a managed service. If budget allows, consolidate with an EDR that provides both real-time detection and scheduled scanning, plus centralized logging. Ensure whatever you choose supports centralized logging and export of scan results for compliance evidence.
3) Configure real-time agents (actionable examples)
Windows (built-in): enable and verify Windows Defender real-time protection and tamper protection. Example PowerShell checks you can run and record as evidence:
# Enable real-time protection Set-MpPreference -DisableRealtimeMonitoring $false # Verify status Get-MpPreference | Select-Object DisableRealtimeMonitoring Get-MpComputerStatus | Select-Object AMServiceEnabled, RealTimeProtectionEnabledFor Linux servers where a full EDR is unavailable, combine Wazuh/OSSEC for FIM and a lightweight real-time script using inotify to trigger scans:
# Simple inotify-based trigger (example) while inotifywait -r -e modify,create,delete /srv/data; do clamscan -r --infected /srv/data >> /var/log/clamscan.log done &Note: in production, use a managed FIM/EDR or a stable agent rather than ad-hoc scripts to avoid performance problems. Configure agents to update signatures automatically and to prevent users from disabling real-time protection (tamper controls).
4) Configure periodic/full scans
Periodic scans are your safety net for large repositories and systems where real-time scanning is impractical. Examples: - Windows Task Scheduler: schedule full-system quick scans nightly and a full scan weekly; export results to a central share for retention. - Linux cron job for ClamAV:
# /etc/cron.d/clamscan 0 2 * * * root clamscan -r --log=/var/log/clamscan-$(date +\%F).log /home /var/www- Cloud (S3): implement an S3 PUT event that triggers an AWS Lambda that runs ClamAV (via a Lambda layer) against the new object, records the result in DynamoDB, and sends an SNS alert on infection. Commercial plugins are available if you prefer not to manage ClamAV layers.
5) Logging, alerting, and SIEM integration
Centralize logs from real-time agents and periodic scans into a SIEM or log store (Splunk, ELK, Wazuh manager, or cloud-native CloudWatch/Log Analytics). Configure structured logs for: scan start/finish, files scanned, infected files detected, remediation actions (quarantine/delete), and exceptions. Retain logs and signed reports for the Compliance Framework evidence period (commonly 12–36 months depending on contract). Create alerting rules that notify SOC or on-call staff for high-severity detections and produce an incident ticket. Example: forward Windows Event IDs from Defender and Wazuh FIM alerts to your SIEM, then create an alert that triggers an email/SMS and creates a ticket in your ITSM system.
Practical tips, tuning, and small-business scenarios
For a small business with limited resources: - Start with built-in tools (Windows Defender, ClamAV) and centralize logs via a lightweight ELK stack or Wazuh manager in a small VM. - Use scheduled full scans during off-hours and enable real-time on endpoints that interface with users. - Maintain an exclusion policy (with documented justification) to avoid excessive false positives on large binary directories, CI/CD build folders, or encrypted backups — but log and review exclusions quarterly. Real-world scenario: a subcontractor running a dev environment on a $20/month Linode can deploy ClamAV + a simple inotify script to protect a small file share, forward logs to a low-cost Wazuh manager, and produce weekly scan reports for FAR/CMMC evidence.
Risks of not implementing or under-implementing this control
Failing to deploy periodic and real-time file scanning increases the risk of malware persistence, data exfiltration, and compromise of CUI — which can lead to contract penalties, lost business, or mandatory breach notifications. For compliance, the risk also includes failed assessments, inability to bid on contracts, and reputational damage. Operationally, not having centralized logs and documented remediation means you cannot prove proper handling of incidents in an audit.
Summary: implement scanning in layers—real-time agents on endpoints, scheduled scans for repositories, and cloud-object scanning for storage; centralize logs and alerts to a SIEM; maintain documentation, retention, and evidence aligned to the Compliance Framework mapping to FAR 52.204-21 / CMMC SI.L1-B.1.XV. With careful scoping, lightweight tools, and a repeatable evidence collection process, small businesses can meet the requirement without expensive enterprise tooling.
