In our final entry of the Practices found in CMMC Level 1, within the Domain, System and Information Integrity, we cover SI.1.213 – Perform periodic scans of information systems and real-time scans of files from external sources as files are downloaded, opened or executed.  This Practice is found within the Capability, C041, Identify Malicious Content, and focuses on companies using anti-malware software to continually scan and identify malware in their computer systems and to have a plan in how often these scans will occur.  This Practice can be found in the CMMC Appendix B, on page B-241 (Page 281 in the PDF).  Here is the content from Appendix B:

Discussion from Source: NIST SP 800-171, R2: 

Periodic scans of organizational systems and real-time scans of files from external sources can detect malicious code. Malicious code can be encoded in various formats(e.g., UUENCODE, Unicode), contained within compressed or hidden files, or hidden in files using techniques such as steganography. Malicious code can be inserted into systems in a variety of ways including web accesses, electronic mail, electronic mail attachments, and portable storage devices. Malicious code insertions occur through the exploitation of system vulnerabilities.

Malicious code protection mechanisms include antivirus signature definitions and reputation-based technologies. Many technologies and methods exist to limit or eliminate the effects of malicious code. Pervasive configuration management and comprehensive software integrity controls may be effective in preventing execution of unauthorized code. In addition to commercial off-the-shelf software, malicious code may also be present in custom-built software. This could include logic bombs, back doors, and other types of cyber attacks that could affect organizational missions/business functions. Traditional malicious code protection mechanisms cannot always detect such code. In these situations, organizations rely instead on other safeguards including secure coding practices, configuration management and control, trusted procurement processes, and monitoring practices to help ensure that software does not perform functions other than the functions intended.

CMMC Clarification:

Companies should use anti-malware software to scan and identify viruses in their computer systems and have a plan for how often scans are conducted. Real-time scans will look at the system whenever new files are downloaded, opened, and saved. Periodic scans check previously saved files against updated malware information.


While cleaning up your office, you find your old thumb drive. You are not sure if you should use it. Then you remember something: Your company just purchase anti-malware software that auto updates with the latest antivirus code and definitions of all-known malware. With this in mind, you decide to plug in the thumb drive. The new anti-malware software scans the thumb drive, finds a virus, then deletes the file.

So, there you have it. With this entry, you now have the 17 Practices for CMMC Level 1 certification. The next entry will consolidate the links of all 17 Practices into one location, with links to each of the corresponding blog entries.  We wish you all the best in your efforts to obtain CMMC Level 1 compliance and please let us know how we may assist you going forward.

Until next time…

Mark Lupo, MBCP, SMP