CMMC Level 2 Practice 3.14.5: Perform periodic scans of organizational systems and real-time scans of files from external

To meet the cmmc level 2 practice 3.14.5: perform periodic scans of organizational systems and real-time scans of files from external requirement, you must run scheduled malware scans across in-scope systems and scan external files/media at the time of introduction (download, email, USB, cloud sync), with results logged and retained. Operationalize it by standardizing tooling, scan coverage, exceptions, and evidence capture. ¹

Key takeaways:

• Treat “periodic” as a defined, documented cadence tied to risk and system criticality, then prove it happened with logs and reports. ¹
• Treat “real-time scans of files from external” as an ingestion control across email, web, removable media, and third-party file exchange paths. ¹
• Assessors look for scope alignment to CUI environments, centralized visibility, and exception governance, not screenshots of an AV console. ²

CMMC Level 2 Practice 3.14.5 is a malware defense execution requirement: scan your systems on a recurring basis and scan externally sourced files as they enter your environment. The operational trap is simple: many organizations “have antivirus,” but cannot prove (1) it covers the right assets, (2) it scans the right external entry points, and (3) it runs on a consistent cadence with review and follow-up.

For a Compliance Officer, CCO, or GRC lead, the fastest path is to treat 3.14.5 as a control with three parts: scope, scan operation, and evidence. Scope means you can name the in-scope endpoints/servers supporting CUI and the boundary where files enter. Scan operation means you can show scheduled scans, real-time/on-access scanning, signature/engine updates, and quarantine/remediation workflows. Evidence means you can produce scan policies, logs, alert tickets, and exception approvals aligned to the CMMC assessment expectations. ²

This page gives requirement-level implementation guidance you can hand to IT/SecOps and then test as a GRC function without guessing.

Regulatory text

Requirement (excerpt): “Perform periodic scans of organizational systems and real-time scans of files from external.” ¹

CMMC mapping context: CMMC Level 2 includes practices mapped to NIST SP 800-171 Rev. 2, including 3.14.5. ¹ The CMMC program rule and program materials define how DoD operationalizes and assesses these practices. ^{3 2}

Operator meaning: You need malware scanning that (a) runs on a defined schedule across in-scope systems and (b) scans externally sourced files at the point of entry (or at the time they are accessed), with recorded outcomes and follow-up.

Plain-English interpretation (what the assessor will expect you to mean)

• “Periodic scans”: A scheduled, repeatable scan activity for endpoints/servers in scope for CUI handling. You define what “periodic” means for your environment, document it, and show scan execution records. ¹
• “Organizational systems”: Systems within your CMMC Level 2 assessment scope. In practice, that means the boundary you declare for CUI processing, storage, or transmission and the supporting components inside that boundary. ²
• “Real-time scans of files from external”: Controls that scan files as they enter from outside your managed environment (email attachments, web downloads, removable media, third-party file transfer, cloud storage sync, collaboration tools). Real-time can be on-access scanning, gateway scanning, or both, as long as it is effective and evidenced. ¹

Who it applies to

Entity types: Defense contractors and other federal contractors handling CUI who must achieve/maintain CMMC Level 2 alignment. ^{3 2}

Operational context:

• Organizations with a defined CUI enclave (on-prem, cloud, hybrid) where endpoints, servers, and services must be protected against malware. ²
• Teams using third parties for email security, endpoint security, MDR/SOC, managed IT, or file-sharing platforms must ensure those services produce assessable evidence and are configured to enforce scanning at entry points. ²

What you actually need to do (step-by-step)

Step 1: Lock scope and scan coverage targets

1. Confirm your CMMC Level 2 assessment scope: list in-scope endpoints, servers, and any shared services that touch CUI flows. ²
2. Identify external file ingress paths: at minimum, document email, web browsing/downloads, removable media, cloud storage sync, collaboration platforms, third-party file transfer, and developer artifact intake if applicable. ¹
3. Map each ingress path to a scanning control point (gateway, endpoint, server, or dedicated sandbox). The key is that each path has an owner and a measurable control. ²

Step 2: Configure malware tooling to meet both “periodic” and “real-time”

1. Enable real-time/on-access scanning on endpoints and relevant servers in scope (or equivalent control in VDI/non-persistent designs). ¹
2. Define and implement a periodic scan cadence (example patterns: weekly endpoint scans, more frequent scans for high-risk user groups, special scans after major incidents). Your cadence must be written and tied to your risk and operations. ¹
3. Ensure signature/engine updates are managed (automatic updates with monitoring for failures). Missed updates often show up in assessor sampling. ¹
4. Harden scanning policy: block or quarantine on detection, prevent user override, and require admin approval for exclusions. Document any required exclusions and their approvals. ²

Step 3: Operationalize “external file” scanning at the boundaries

Use layered controls so external files are scanned before users interact with them:

• Email: attachment scanning at the email security gateway/service plus endpoint on-access scanning. ¹
• Web downloads: web proxy/SWG scanning or browser download inspection, plus endpoint scanning. ¹
• Removable media: endpoint policy to scan on insertion or first access, plus controls that restrict removable media where possible. ¹
• Third-party file transfer and collaboration: enforce scanning in the platform (if available) and on endpoint download/open; require approved methods for exchanging CUI-relevant files. ²

Step 4: Define triage, remediation, and escalation

1. Triage workflow: who reviews detections, how quickly, and what constitutes a true positive.
2. Containment/remediation: quarantine actions, re-image criteria, and follow-up scans.
3. Escalation: when an event becomes an incident requiring formal incident handling under your IR procedures (this often touches adjacent CMMC/NIST practices). ²

Step 5: Build evidence capture that survives assessor sampling

1. Centralize logs where feasible (EDR/AV console exports, SIEM forwarding, email security logs).
2. Create a recurring evidence package: monthly rollup reports, exception registers, and a small set of representative raw logs.
3. Test evidence retrieval: practice producing “last periodic scan run for a sampled asset” and “proof that external files are scanned” without screen-recording heroics. ²

Required evidence and artifacts to retain

Keep artifacts that prove design + operation + scope alignment:

• Malware protection standard / procedure covering periodic scans and real-time scanning of external files. ¹
• In-scope asset inventory extract (or list) that shows which endpoints/servers are required to have the agent and scans enabled. ²
• Configuration evidence: policies for real-time scanning, scheduled scan settings, tamper protection, update settings, and exclusion governance. ¹
• Scan execution records: console reports/logs showing periodic scans ran, outcomes, and coverage by asset group. ¹
• External file scanning evidence: email gateway malware logs, web proxy/SWG logs (if used), endpoint “on access” detections, removable media scan events. ¹
• Alert/ticket samples: detections tied to triage and remediation actions (close notes, containment steps). ²
• Exception register: any exclusions (paths, file types, systems), business justification, time bounds, compensating controls, and approvals. ²
• Third-party documentation (if scanning is outsourced): service descriptions, responsibility matrix, and deliverables that provide logs/reports for assessments. ²

Common exam/audit questions and hangups (what assessors probe)

• “Show me periodic scan results for this specific endpoint/server.” If your tool only reports “policy applied” but not “scan executed,” you will struggle.
• “What does ‘periodic’ mean here?” If you cannot point to a documented cadence and show it occurring, you risk a finding. ¹
• “How do you scan files from external sources?” Assessors may pick an ingress path you forgot, like contractor file drops, support portals, or cloud drive sync. ²
• “How do you control exclusions?” Unbounded exclusions without approvals look like control bypass.
• “What’s in scope?” If your scan coverage does not match the CUI boundary you declared, expect a gap. ²

Frequent implementation mistakes and how to avoid them

1. Relying on default AV settings without documenting “periodic”
   Fix: write a standard that defines scan cadence by asset class and show evidence of runs. ¹

2. Assuming real-time endpoint scanning covers all “external files”
   Fix: document each ingress path and add gateway/platform scanning where practical; prove at least one control point per path. ²

3. No central view of coverage
   Fix: maintain a coverage report that reconciles in-scope assets vs. agent installed vs. scan enabled vs. last check-in. ²

4. Exclusions sprawl
   Fix: time-box exclusions, require approvals, and review them on a recurring basis; store the register as evidence. ²

5. Evidence is screenshots only
   Fix: export logs/reports (PDF/CSV) and keep them in a controlled evidence repository with dates and system identifiers. ²

Enforcement context and risk implications

CMMC is a DoD program implemented through regulation and program guidance; failing practices like 3.14.5 can affect eligibility for contracts that require CMMC Level 2. ³ From a risk standpoint, weak scanning at ingress points increases the chance that malware reaches systems that process or store CUI, which drives incident response costs, downtime, and potential contractual impacts. ²

Practical 30/60/90-day execution plan

First 30 days (stabilize scope + minimum viable evidence)

• Confirm in-scope asset list for CUI boundary and reconcile with endpoint/security tool coverage. ²
• Document external file ingress paths and owners.
• Publish a written scanning standard: real-time enabled, periodic cadence by asset type, and exclusion governance. ¹
• Start exporting scan reports and malware event logs into an evidence repository.

Days 31–60 (close coverage gaps + harden operations)

• Roll out agents/policies to any missing in-scope assets; validate real-time scanning and update health.
• Implement or tighten gateway scanning for email and other major entry points where gaps exist. ¹
• Stand up a detection triage workflow with ticketing evidence and defined escalation criteria. ²
• Build the exclusion register and require approvals for all future exclusions.

Days 61–90 (assessment readiness + sampling drills)

• Run an internal sampling drill: pick several endpoints/servers and produce “proof of periodic scan,” “proof of real-time scanning,” and “proof external file scanning works on ingress path X.” ²
• Document recurring review: scan failures, missed check-ins, exclusion reviews, and remediation follow-up.
• Package evidence by control so it is assessor-ready and repeatable.

How Daydream fits (without adding process friction)

Daydream helps you translate CMMC Level 2 practices into a control narrative with recurring evidence capture: define what “periodic” means, map ingress paths to control points, then schedule and store the exact reports and logs assessors request. That reduces the scramble for artifacts and keeps your 3.14.5 story consistent across IT, SecOps, and GRC. ²

Frequently Asked Questions

What counts as “files from external” for 3.14.5?

Treat “external” as anything introduced from outside your managed environment: email attachments, downloads, removable media, and third-party file sharing. Document your ingress paths and how each is scanned. ¹

Do we need both gateway scanning and endpoint real-time scanning?

The requirement is outcome-based: real-time scanning of external files plus periodic system scans. Many teams meet it with layered scanning (gateway + endpoint) because it creates clearer evidence and reduces single-point failure. ¹

How do we define “periodic” without a required frequency?

Define a cadence that fits your environment, document it, and then retain proof that the scans executed as scheduled. Assessors focus on clarity, consistency, and coverage across the scoped systems. ^{1 2}

Are servers included, or is this just endpoints?

“Organizational systems” includes servers in the CUI boundary. Ensure server policies, scan windows, and performance exclusions are governed and evidenced. ¹

What if we must exclude certain directories or file types for performance reasons?

Keep exclusions rare, approved, and documented with compensating controls and an expiration/review approach. Expect assessors to sample exclusions and ask for justification and ownership. ²

We outsource endpoint security to a third party. Can we still meet 3.14.5?

Yes, if responsibilities are clear and you can produce evidence: coverage reports, scan policies, scan execution logs, and detection/ticket records. Contract for evidence access because assessors will ask you, not the provider. ²

Footnotes

1. NIST SP 800-171 Rev. 2

2. DoD CMMC Program Guidance

3. 32 CFR Part 170