What does SI.L2-3.14.5 require for CMMC Level 2?

You must scan systems for malware regularly (e.g., weekly or monthly) and scan files from external sources (email attachments, downloads) in real-time.

What evidence do I need for SI.L2-3.14.5?

Antivirus policy with scan schedule, scan logs from the past 30-60 days, real-time scanning configuration, and email attachment scanning verification.

What's the most common failure for SI.L2-3.14.5?

No periodic full-system scans, or scans are configured but logs show they are not running. Email attachment scanning is not configured.

SI.L2-3.14.5

SI.L2-3.14.5: System and File Scanning

Perform periodic scans and real-time scans of files from external sources.

Updated March 30, 2026

Regular malware scans catch threats that real-time protection misses. SI.L2-3.14.5 requires periodic system scans and real-time scanning of files from external sources. The assessor will check that scans are scheduled and actually running. Scan results feed into AU.L2-3.3.1 (audit logging) and SI.L2-3.14.2 (malware protection) as part of your integrated detection strategy.

Family System and Information Integrity

Practice SI.L2-3.14.5

Difficulty Easy

Key evidence Scan policy, scan schedule, scan logs, real-time scanning configuration

What the assessor is actually evaluating

The assessor will check:

Scan schedule: You should have a policy requiring periodic scans (e.g., weekly or monthly) on all systems.
Scan execution: Scan logs should show that scans are actually running on the defined schedule. A policy that says “weekly scans” but no scans have run in a month is a gap.
Real-time scanning: Files from external sources (email, downloads, USB drives) should be scanned automatically. This is typically handled by antivirus software.

What a realistic SSP definition looks like

Policy: “The organization performs weekly malware scans on all in-scope systems. Real-time scanning is enabled on all systems to scan files from external sources automatically. Email attachments are scanned before delivery to users. USB drives and external media are scanned when connected.”

Supporting details:

Periodic scans: Weekly full-system scans scheduled for Sundays at 2:00 AM on all workstations and servers.
Real-time scanning: Windows Defender or third-party antivirus is configured with real-time protection enabled.
Email scanning: Exchange or mail gateway scans all attachments before delivery. Malicious or suspicious attachments are quarantined.
External media scanning: Systems are configured to scan USB drives and external disks when connected.

How to present your evidence

Evidence checklist

Scanning policy document with schedule and real-time requirements
Antivirus configuration showing scheduled weekly or periodic scans
Scan logs from past 60 days showing executed scans with dates and results
Real-time scanning enabled on all systems
Email gateway or mail settings showing attachment scanning configured
External media scanning policy or system configuration

Assessment room tips

Keep answers short. Show the evidence, don't describe it. Let the assessor drive. For more on how to present in the assessment room, see How to Present Evidence in the Assessment Room.

Assessor: “Describe your scanning policy. How often do you scan systems?”

You: “We scan all systems weekly on Sunday nights. Real-time scanning is enabled on all systems. Email attachments are automatically scanned.” [Pull up scanning policy and antivirus configuration]

Assessor: “Show me scan logs from the past month.”

You: [Pull up antivirus scan history showing weekly scans for the past 4-5 weeks. Each scan shows date, time, and results.]

Assessor: “I see a scan here from last Sunday. How long did it take?”

You: “About 45 minutes on that workstation. The scan found no malware.” [Show the scan details]

Assessor: “Are attachments scanned?”

You: “Yes. All email attachments are scanned by our mail gateway. Suspicious or malicious attachments are quarantined.” [Pull up mail gateway configuration]

Common failures

No scheduled scans: Antivirus is installed but periodic scans are not scheduled. Scans happen only when manually triggered.

Scheduled scans are not running: Scan policy says “weekly,” but logs show no scans have run in weeks. Scheduled scans may be configured but not actually executing.

Real-time scanning is disabled: Antivirus is installed but real-time protection is turned off to improve performance.

Email attachments are not scanned: Mail reaches users without attachment scanning configured.

Get assessment room tips in your inbox

Short, practical breakdowns of what assessors actually ask and how to answer. No compliance jargon, no sales pitch. Subscribe free on Substack.

Regular, scheduled scans: Scan logs show weekly (or defined frequency) scans on all systems. Scans are consistently executed.

Real-time scanning enabled: All systems have real-time protection active. Email attachments are scanned before delivery.

If you use an MSP/MSSP

If your MSP manages antivirus scanning, request monthly scan logs showing all systems are being scanned regularly. Ensure the MSP is configuring real-time scanning on all managed systems. Verify email attachment scanning is configured if the MSP manages email.

This guide is for reference only and does not replace official CMMC documentation or professional compliance advice.

New practice breakdowns and assessment tips every week. Follow on Substack to stay current as the November 2026 deadline gets closer.

← SI.L2-3.14.6: Monitor Communications All Practices SI.L2-3.14.4: Update Malicious Code Protection →