← Custodia
Practice 15 of 15·FAR 52.204-21(b)(1)(xv)·SISystem & Information Integrity

SI.L1-b.1.xv

Scan systems and files when downloaded

Run periodic full scans on your systems and scan files in real time as they're downloaded or opened. Microsoft Defender's default settings (real-time protection + scheduled scans) satisfy this; same for macOS XProtect plus an EDR or AV product configured for on-access scanning.

Official text

Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.

FAR 52.204-21(b)(1)(xv), CMMC Level 1 v2.13 Assessment Guide

What evidence satisfies this

Any one of these, by itself, won't satisfy the practice — but showing a few of them together is what an assessor or a prime contractor expects to see:

  • Defender configured for real-time scanning and a scheduled weekly quick scan (the default).
  • Email attachment scanning at the tenant (default in M365 / Workspace).
  • Browser safe-browsing on (default in Chrome / Edge / Safari).
  • EDR / AV product configured for on-access scanning at file open.
  • A monthly review confirming scheduled scans ran and didn't quarantine anything unexpected.

Common ways small shops fail this

  • Real-time protection disabled because a developer found it slow.
  • Scheduled scans cancelled by users without warning.
  • Downloads from the browser to a folder excluded from scanning.
  • USB drives plugged in without any auto-scan.
  • Email tenant scanning turned off after a deliverability dispute.

How to fix it in a weekend

  1. 1Leave real-time protection on. If a tool's slowness pushed someone to disable it, fix the tool, not the protection.
  2. 2Confirm a weekly scheduled scan exists on every endpoint.
  3. 3Re-enable email-attachment and link scanning at the tenant.
  4. 4Set USB / removable-media auto-scan on (Defender's default behavior).
  5. 5Add a 10-minute monthly review of the AV console to your routine.

FAQ

How often does "periodic" mean?+

FAR doesn't define a frequency. Industry practice is real-time on-access scanning continuously, plus a weekly full or quick scan. Pick a schedule you can defend, document it, and stick to it.

Related references

Clause

FAR 52.204-21Basic Safeguarding of Covered Contractor Information Systems

Glossary

FAR 52.204-21

Doing all 15 yourself? Use the checklist.

Custodia's free CMMC Level 1 checklist walks the same 15 requirements with a self-assessment workflow, generates your SSP and affirmation memo, and posts your SPRS score for you.

Open the checklist →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)