DoD Contractor Considerations for CMMC Practice Guide SI.L1-3.14.5

By Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

DoD Contractor Considerations for CMMC Practice Guide SI.L1-3.14.5

Editor’s note: This article is one of a series of articles about the CMMC Level 1 Practices. In these articles we dive into the CMMC Practice Guides and provide our thoughts about the practices and what contractors should consider. The CMMC ecosystem is still developing, and as those developments occur, we will update these articles accordingly. As such, we hope that these articles represent an evergreen CMMC Level 1 resource.

Practice Title: System & File Scanning
Practice Number: SI.L1-3.14.5
Practice Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

(source: CMMC ML-1 Assessment Guide)

Overview of SI.L1-3.14.5

CMMC Level 1 has three practices related to endpoint protection (i.e., antivirus).

The first (SI.L1-3.14.2 – Malicious Code Protection) sets out requirements to implement endpoint protection software where necessary.

The second (SI.L1-3.14.4 – Update Malicious Code Protection) requires enabling automatic updates of the “protection mechanism,” commonly known as virus definitions or signatures.

Finally, this practice brings up the rear by establishing specific requirements for periodic and real-time scans.

Periodic Scans

The first two assessment objectives require that organizations define, such as in a policy, the frequency with which scans should be run [a] and to run the scans according to that requirement.

The CMMC guidance does not provide any indication as to a minimum cadence. So, organizations have latitude to determine what makes sense. Some key factors informing that decision are:

  • Performance – Full system scans can take several hours and can significantly degrade performance during the scan.
  • System Risk – End user computers and network file shares are at higher risk of malware because they constantly have new files saved to them. Servers to which users cannot write files are at lower risk.

Additionally, scheduled scans supplement real-time scans [c] that are performed when files are downloaded and opened. So, assessment objectives [a] and [b] are addressing the risk that downloaded malware is not detected at the time of the download, but updated definitions/signatures identify it later as malware. It is a real, albeit narrow, risk.

Given the above, we think full system scans should be configured to run no less frequently than monthly. Higher risk systems may warrant weekly scans.

Real-time Scans

Without real-time scans, endpoint protection software is doing basically nothing. Verify that your endpoint protection is configured to scan files as they are downloaded and opened [c].

As with the other two endpoint protection related CMMC Level 1 requirements, organizations should use a solution that can be centrally managed by administrators so that users cannot disable periodic scans or real-time protection. Additionally, it will be easier for your assessor to verify the settings with a centrally managed solution rather than manually inspecting individual endpoints.


Most endpoint protection software can keep itself up to date without any issues. Occasionally, however, something goes wrong. The endpoint protection software may never be installed, be accidentally removed, or lose the ability to phone home to the centralized management server.

CMMC Level 2 contains practice requirements for Security Control Assessments (CA.L2-3.12.1) and Security Control Monitoring (CA.L2-3.12.3). Adding a layer of monitoring and periodic assessments to your endpoint protection controls will help identify noncompliant endpoints and support Level 2 requirements. Monitoring and assessment activities to consider include:


Having endpoint protection software but not enabling real-time scans is a bit like having a gym membership but only using the smoothie bar. It is not doing you any good.

Periodic scans are also required, but organizations have the flexibility to determine how often they need to occur. Consider the performance degradation the scheduled scans cause and the system related risk to identify an appropriate cadence for scheduled malware scans. Most organizations will identify a cadence between weekly and monthly.

Many DoD contractors will not have the expertise or resources needed to perform a CMMC CMMC RPOreadiness assessment, identify the gaps, and develop corrective action plans. In these cases, the contractors are turning to cybersecurity consultants with knowledge of NIST and the CMMC framework. If you want to learn more about CMMC, Keiter’s team of cybersecurity specialists can help you. Email | Call: 804.747.0000.

Our team will continue to monitor the rollout of the CMMC program and update you on new information and changing requirements for DoD contractors.

Share this Insight:

About the Author

Christopher Moschella

Christopher Moschella, CPA, CISA, Risk Advisory Services Senior Manager

Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.

More Insights from Christopher Moschella

The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.


Contact Us