3.14.5 — Scan Regularly
What It Says
Section titled “What It Says”Perform periodic scans of organizational systems and real-time scans of files from external sources as files are downloaded, opened, or executed.
What It Actually Means
Section titled “What It Actually Means”Two scanning modes, both required:
-
Periodic full scans. Scheduled scans that examine all files on a system — not just new or changed ones. These catch malware that evaded real-time detection: threats that arrived before signatures were updated, dormant malware activated by a later trigger, or files that were exempt from real-time scanning due to exclusions. Define a frequency — weekly full scans is standard for CUI systems.
-
Real-time scans of external files. Every file arriving from outside the system is scanned as it’s downloaded, opened, or executed. This covers: email attachments (scanned before or at delivery), web downloads (scanned on download), files from USB drives (scanned on access), and files transferred from external systems. Real-time protection must be active — not just installed.
The assessor checks three things:
- Scan frequency is defined. Your policy specifies how often periodic scans run.
- Periodic scans actually execute. Scan logs show scheduled scans completing per the defined frequency.
- Real-time scanning is active for external files. Email attachments, downloads, and removable media are scanned as they arrive — not after.
Pass or Fail
Section titled “Pass or Fail”Your assessor needs a “yes” to every row:
| # | Question | What “yes” looks like |
|---|---|---|
| 1 | Is the frequency for periodic scans defined? | Policy specifies: weekly full scan (or similar defined frequency) |
| 2 | Are periodic scans performed per the defined frequency? | Scan logs showing completed scans on schedule for the past several months |
| 3 | Are real-time scans of files from external sources performed? | Real-time protection active; email attachments scanned at gateway; USB files scanned on access |
What to Have Ready on Assessment Day
Section titled “What to Have Ready on Assessment Day”Documents they’ll review: System and information integrity policy; procedures addressing malicious code protection; system security plan; system configuration showing scheduled scan settings and real-time protection; scan results and logs; records of malware detections
People they’ll talk to: System or network administrators; information security personnel; personnel responsible for malicious code protection
Live demos they’ll ask for: “Show me the scheduled scan configuration — what’s the frequency?” “Show me the last completed scan log.” “Is real-time protection enabled? Show me.” “Download a test file — show me it’s scanned.” “Insert a USB drive — show me it’s scanned on access.”
The Assessor’s Playbook
Section titled “The Assessor’s Playbook”These are the actual questions. Have answers ready.
- “How often do you run full malware scans? Show me the schedule.”
- “Show me the scan log from the most recent scheduled scan.”
- “Is real-time protection enabled on this system? Show me the configuration.”
- “Are email attachments scanned before delivery to users?”
- “What happens when a user inserts a USB drive — is it scanned?”
- “Are files from external sources included in the scan scope — USB drives, downloads, attachments?”
- “Has a periodic scan ever caught something that real-time missed?”
Where Companies Trip Up
Section titled “Where Companies Trip Up”No scheduled scans. Real-time protection is on but no periodic scans are configured. Real-time catches arriving threats but doesn’t rescan existing files with updated signatures. A dormant threat that arrived before the latest signatures could persist indefinitely. Schedule periodic scans.
Real-time protection disabled. Disabled “temporarily” for performance or software installation and never re-enabled. Enable tamper protection to prevent users and local admins from disabling real-time scanning. Verify status centrally.
Not all systems scanned. Workstations are scanned but servers are excluded for performance reasons. The requirement says “organizational systems” — all CUI systems need both periodic and real-time scanning. Tune exclusions for server-specific processes rather than exempting the entire server.
USB drives not scanned. Users can insert USB drives and files are accessible without scanning. Configure your endpoint protection to scan removable media on access. Better yet, block USB storage entirely on CUI systems if the business permits it.
Email scanning gaps. Internal email is scanned but emails from external partners arrive unscanned because they bypass the email gateway. Ensure all email — regardless of source — passes through your mail filtering with attachment scanning.
How to Talk About This
Section titled “How to Talk About This”Connected Requirements
Section titled “Connected Requirements”| Requirement | Why it matters here |
|---|---|
| 3.14.2 — Deploy Anti-Malware | Deploys the protection mechanisms that perform these scans |
| 3.14.4 — Keep Protection Current | Scans are only as good as the signatures — keep them updated |
| 3.8.7 — Control Removable Media | USB and removable media controls complement real-time scanning |
| 3.13.1 — Guard the Boundaries | Boundary protection scans external files at network entry points |
Implementation
Section titled “Implementation”Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.
Start a conversation →CMMC Practice ID: SI.L2-3.14.5 | SPRS Weight: 3 points | POA&M Eligible: No