Antivirus and CMMC Level 1: What Counts as "Good Enough"?

Share
Antivirus and CMMC Level 1: What Counts as "Good Enough"?

If you've worried that CMMC means buying expensive enterprise security software or hiring a monitoring service, here's some relief: antivirus is a Level 1 requirement, and for most small contractors, the protection already built into your computers is good enough — as long as it's set up correctly.

Two things surprise people here. First, that antivirus is Level 1 at all (a lot of guides imply you need advanced, Level 2-style tools). Second, that "good enough" is a much lower bar than the security industry would like you to believe. Let's clear both up.

Yes, it's a Level 1 requirement

Protecting against malicious code is built into Level 1 through three closely related practices: have malware protection where it's needed, keep it updated, and use it to scan. There's also a fourth, closely related practice — keeping your systems patched — that we'll get to.

So if someone tells you malware protection is a Level 2 concern, that's not right. The basics live at Level 1. The good news is they're some of the most achievable requirements in the whole set, because most businesses already have antivirus running.

What "good enough" actually means

Level 1 doesn't name a brand, demand a price tag, or require enterprise detection-and-response platforms. It wants three straightforward things:

  1. You have malware protection on the machines that matter. Every computer that touches FCI should be running antivirus. Not a special government product — just real, working protection.
  2. It stays updated. Malware changes daily, so your protection has to pull in new definitions automatically. The good news: nearly every antivirus tool does this by default, so if you've got protection running, you've very likely already met this without lifting a finger.
  3. It actually scans. That means two kinds of scanning: periodic scans on a schedule, and real-time scanning that checks files as they arrive — downloads, email attachments, files off a USB stick — before they can do harm.

Meet those three, and you've satisfied the core of Level 1's malware requirements.

Built-in protection usually clears the bar

For a typical small contractor, the antivirus already included with your operating system does the job. The protection built into Windows, for example, is real antivirus — it updates its definitions many times a day on its own, and it runs both scheduled and real-time scans. It's free, it's already there, and for a small shop handling FCI, it generally covers all three requirements.

You do not need to go buy a separate enterprise antivirus suite, and you certainly don't need a managed security operations center to pass Level 1. Those can be worthwhile for higher-risk environments or contractors heading toward Level 2, but they are not a Level 1 requirement. Don't let anyone upsell you into thinking otherwise.

The two things people actually miss

If antivirus is so common, where do contractors slip? Two places.

Real-time scanning left off. Some people run antivirus but only ever do occasional manual scans, with real-time protection switched off. That's like locking the door at night but leaving it open all day. Level 1 wants files checked as they come in, so make sure real-time scanning is actually enabled — not just available.

Forgetting the patching half. Antivirus catches malware, but a lot of attacks slip through holes in out-of-date software. That's why Level 1 also asks you to fix known flaws in a timely way — which in plain terms means keeping your operating system and applications updated. Antivirus and patching are partners: one blocks the bad stuff, the other closes the doors it would walk through. Turning on automatic updates for your OS and main software handles most of this.

Don't forget to write it down

As with the rest of Level 1, the small bit of extra effort isn't the technology — it's the documentation. You should be able to say, simply, that antivirus is deployed on the machines that handle FCI, that it updates automatically, that scanning (including real-time) is on, and that your systems get patched. A short written note covering that is the difference between doing it and being able to show you do it.

Antivirus, updates, and flaw remediation all live in the same Level 1 domain. For the full picture, see CMMC System Integrity: Antivirus, Updates, and Malware Protection.

The bottom line

Antivirus is a Level 1 requirement, and "good enough" is genuinely good enough: protection that's present on the right machines, updating itself, and scanning in real time, plus keeping your software patched. The built-in tools most small shops already have will usually meet all of it — no expensive suite, no monitoring service required.

The traps are subtle: real-time scanning switched off, patching ignored, and skipping the paperwork. Fix those and this is one of the easier Level 1 boxes to check.

Working out which of the 15 Level 1 practices you already meet — and which need a small tweak like flipping on real-time scanning — is far simpler when they're laid out plainly, one question at a time.


See exactly where you stand on CMMC Level 1.

CMMCheck walks you through every Level 1 requirement as plain-English yes / no / not-sure questions — no consultant, no jargon — and hands you a clear report showing what's done and what's left.

→ Start your Level 1 self-assessment at cmmcheck.com