3.14.5 — Perform Periodic Scans of Organizational Systems and Real-Time Scans of Files from External Sources

This is the companion to malicious code protection -- you need to be scanning your systems on a regular schedule and also scanning files in real time as they arrive from external sources (email attachments, downloads, USB drives).

Example 1: Configure Microsoft Defender Antivirus scheduled scans via GPO or Intune. Set a weekly full scan (all files and running programs) for off-hours -- say, Saturday at 2 AM -- and ensure real-time protection is always on. In Intune, this is under Endpoint security > Antivirus > Microsoft Defender Antivirus > Scan schedule.

Example 2: Run authenticated ACAS/Nessus vulnerability scans against your entire CUI enclave at least monthly. Schedule recurring scans in the Nessus console using a credentialed scan policy that checks for missing patches, misconfigurations, and malware indicators. Review the results within 5 business days and feed critical findings into your POA&M.