Meeting the access-control expectations of FAR 52.204-21 and CMMC 2.0 Level 1 (Control AC.L1-B.1.I) boils down to a few practical steps: identify who should have access, enforce unique authenticated access, document and automate provisioning/deprovisioning, and produce evidence for assessors—this post gives a compact, actionable checklist plus implementation details small businesses can use today.
Understanding AC.L1-B.1.I and the key objectives
At its core AC.L1-B.1.I is about limiting system access to authorized users, processes acting on behalf of users, and devices; key objectives include (1) unique identification and authentication of users, (2) least privilege and role separation, (3) timely revocation of access, and (4) demonstrable evidence of controls. For small businesses handling Federal Contract Information (FCI) or controlled unclassified information (CUI) this is the minimum safeguard required to maintain federal contracts and avoid penalties.
Practical access control checklist (Compliance Framework-specific)
Below is a compact checklist oriented to the Compliance Framework: items are actionable, measurable, and produce evidence aligned to auditors' expectations. Implement these and document each step.
- Inventory all accounts and access points (user accounts, service accounts, shared/local accounts, privileged accounts)
- Define roles and map privileges (role-based access control or RBAC)
- Ensure unique user accounts—no shared admin accounts; document exceptions
- Implement authentication controls (password policy + MFA for remote/privileged access)
- Create documented onboarding/offboarding workflows with time-bound account provisioning
- Configure session controls (automatic screen lock, session timeout) and account lockout on failed attempts
- Enable and collect authentication/access logs and retain evidence (screenshots, log extracts) for reviews
- Perform scheduled access reviews (monthly or at least quarterly) and retain review records
Implementation notes and evidence you should collect
For each checklist item, create a short SOP and collect at least one piece of evidence: inventory CSV, role mapping spreadsheet, screenshots of group membership and policies, MFA configuration screenshots, ticket records for provisioning/deprovisioning, exported logs showing login events, and signed access-review records. Document retention periods and where artifacts are stored (encrypted repository or secure SharePoint).
Technical implementation examples (small-business focused)
Concrete configurations that small IT teams can implement quickly: using Azure AD or Okta as a central identity provider allows you to enforce MFA and RBAC centrally—create groups for "CUI-Access" and assign resources via group membership. For on-prem Windows environments use Group Policy: set Minimum Password Length ≥ 12, Password Complexity = Enabled, Interactive logon: Machine inactivity limit = 15 minutes, and configure Account Lockout Policy to 5 invalid attempts. For Linux servers: set PermitRootLogin no in /etc/ssh/sshd_config, use public-key authentication (PasswordAuthentication no), enable faillock or pam_tally2 to lock failed attempts, and centralize accounts via LDAP/SSSD if possible. For VPNs, require device certificate + MFA (for example, OpenVPN with client certs and Duo for MFA or a commercial VPN with conditional access).
Real-world small-business scenarios
Scenario 1: A 25-person subcontractor hosting FCI on cloud VMs. Action: centralize users in Azure AD, enforce conditional access to require MFA for any sign-in from unmanaged devices, create an "FCI" Azure AD group, and deploy least-privilege role assignments to cloud storage buckets; evidence: group membership export and conditional access policy screenshot. Scenario 2: A small engineering shop with local file servers. Action: migrate accounts to an on-prem AD, disable local Administrator on workstations, implement GPO session locks and password policy, keep an offboarding ticket for each terminated employee showing account disable timestamp. Scenario 3: Remote-first consultancy: require SSO (Okta or Azure AD) integrating cloud apps, enable MFA and device posture checks, and use time-bound access roles (JIT access) for contractor periods.
Compliance tips, best practices, and automation
Automate where possible: use automation for onboarding/offboarding (HR system integration with IdP) to avoid stale accounts; implement role templates to reduce misconfiguration; use logs forwarding to a simple SIEM or log collector (Splunk, ELK, or a managed service) and configure alerts for anomalous logins (multiple failed attempts, logins outside business hours). Conduct monthly access reviews with managers and store signed records. Consider short-lived credentials for privileged operations and document a "break glass" process for emergency access with after-action tickets.
Risks of non-compliance and what assessors will look for
Failing to implement AC.L1-B.1.I increases risk of unauthorized access, data exfiltration, and disclosure of FCI/CUI—outcomes include contract loss, suspension, fines, and reputational harm. Assessors will look for proof: (a) a written access control policy, (b) inventory of accounts and privileged users, (c) screenshots/configs showing MFA and password/session settings, (d) logs demonstrating enforcement and reviews, and (e) documented provisioning/deprovisioning workflows with timestamps. If you can't produce evidence, assessors treat controls as not implemented even if an informal practice exists.
Summary: Build a simple, repeatable checklist that maps inventory → roles → enforced technical controls → automated workflows → documented evidence. For small businesses, prioritize central identity management, MFA for remote and privileged access, automated offboarding, and scheduled access reviews—these are high-impact, low-cost actions that satisfy AC.L1-B.1.I and reduce real operational risk while producing the artifacts auditors expect.
