GRCWatch
Sign inStart free trial

SI.L1-3.14.5: System and File Scanning

CMMC Level 1 requires periodic scans of your entire information system plus real-time scanning of files from external sources as they're downloaded, opened, or executed. This dual-layer approach catches known threats before they compromise your network. Understanding and implementing this control is essential for meeting CMMC Level 1 compliance and protecting sensitive data.

What this means

This control mandates two complementary scanning strategies. Periodic system scans run on a defined schedule across all connected systems to detect malware, vulnerabilities, and policy violations. Real-time file scanning monitors external sources—email attachments, downloads, USB drives, cloud storage—and automatically scans files as they enter your environment. Together, these controls create a continuous defense against malicious code and known threats entering your network.

How to comply

  1. 1.Deploy antivirus and anti-malware software across all systems with regular signature updates.
  2. 2.Configure periodic full system scans on a documented schedule (daily, weekly, or monthly depending on risk).
  3. 3.Enable real-time file scanning on all external entry points including email gateways, web browsers, and file shares.
  4. 4.Establish automated quarantine procedures for detected threats and log all scan results.
  5. 5.Document your scanning policy including frequency, scope, tools used, and remediation procedures.
  6. 6.Review and test scanning effectiveness quarterly to ensure malware signatures remain current.
  7. 7.Ensure scanning tools run with appropriate permissions and cannot be disabled by users.

Evidence auditors look for

  • Antivirus/anti-malware deployment and configuration documentation showing periodic scan schedules.
  • Real-time scanning policy for email, downloads, USB devices, and cloud file access.
  • Scan logs and reports from the past 90 days showing both periodic and real-time detections.
  • Malware signature update logs confirming automatic or scheduled weekly updates.
  • Incident response procedures documenting how quarantined files are investigated and handled.
  • Asset inventory listing all systems with scanning capabilities enabled.
  • Screenshots or configuration exports showing real-time scanning is enabled on external file sources.

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates real-time file scanning compliance tracking and maintains audit-ready logs of all periodic and real-time scans across your systems—eliminating manual log collection during CMMC assessments.

See how GRCWatch handles this control automatically

Start free trial

Related controls

SI.L1-3.14.1 Flaw remediationSI.L1-3.14.2 Security updatesAC.L1-3.1.1 Access control policyIR.L1-3.6.1 Incident response procedures