This post gives a practical, step-by-step approach for auditing public-facing systems and closing gaps to satisfy FAR 52.204-21 and CMMC 2.0 Level 1 (Control AC.L1-B.1.IV) requirements under the Compliance Framework: how to inventory, test, remediate, document evidence, and reduce the risk that publicly accessible services expose Controlled Unclassified Information (CUI) or otherwise violate basic safeguarding expectations.
What AC.L1-B.1.IV means in practice (Key objectives)
At Level 1 the objective is straightforward: public-facing systems must not inadvertently expose CUI and must implement basic access controls and safeguards appropriate for outward-facing services. For small businesses this translates to three core goals: 1) inventory and identify every public service (websites, APIs, file shares, admin consoles), 2) verify configurations and access policies prevent unauthorized data access, and 3) document and remediate gaps with evidence for auditors.
Implementation notes — scope, evidence, and risk focus
Define scope up-front as "all externally routable hosts, DNS entries, cloud storage buckets, third-party SaaS consoles with company data, and APIs." Evidence should include discovery outputs (asset lists), authenticated and unauthenticated scan reports, change control tickets, updated configuration files, screenshots, and log extracts showing enforcement. Prioritize systems that process or link to customer data, authentication flows, or credential stores — those present the highest immediate risk of violating FAR/CMMC expectations.
Step 1 — Inventory and discovery (practical steps)
Start by building an inventory: use DNS zone exports, cloud account lists (AWS/GCP/Azure console), and tools like nmap, masscan, or cloud-native inventory APIs to enumerate public endpoints. For web presence, use a combination of DNS enumeration (sublist3r, Assetfinder), passive discovery (Censys, Shodan), and your CI/CD pipeline to list deployed apps. Don’t forget third-party SaaS: marketing CMS, payment gateways, CRMs — capture admin URLs and integrations. Output should be a CSV with hostname/IP, service, owner, and business purpose.
Step 2 — Security checks and technical tests
Run targeted technical checks for each public asset. For web apps and APIs, perform: TLS verification (sslscan or sslyze), header inspection (securityheaders.com or curl -I), directory-listing checks, robots.txt review, and a quick authenticated and unauthenticated vulnerability scan (OWASP ZAP, Nikto, or a lightweight Burp Suite scan). Check S3/Blob containers for public read/write access, verify firewall/security group rules to ensure only ports 80/443 are reachable externally, and confirm no admin interfaces (SSH/DB management) are exposed to 0.0.0.0/0. Log results with CVSS or a simple high/medium/low risk tagging for triage.
Real-world examples for small businesses
Example 1: An e-commerce small business hosts product pages on a CMS that also contained a staging API exposing customer PII. Discovery found a staging subdomain indexed in Google. Remediation: remove staging from public DNS, apply HTTP Basic auth to non-production environments, and configure robots.txt + noindex headers until staging is private. Example 2: A small contractor used an S3 bucket for client file sharing and left it public; the fix was to change ACLs to private, enable pre-signed URLs for downloads, and enable bucket logging and lifecycle policies to retain evidence.
Step 3 — Remediation actions and technical fixes
Map each finding to a concrete remediation: apply HTTPS with HSTS and modern ciphers, enforce secure cookie flags (Secure, HttpOnly, SameSite), implement Content-Security-Policy and X-Content-Type-Options, and remove debug endpoints. For APIs, require API keys or token-based auth and rate limiting. For cloud storage, switch from public ACLs to authenticated access with least privilege, and enable server-side encryption (SSE). Where possible, segment public-facing systems from internal networks using VPCs/subnets and use reverse proxies or WAF (AWS WAF, Cloudflare) to block common attacks.
Process and governance tips (compliance best practices)
Create a remediation plan (POA&M) with owners, deadlines, and evidence collection requirements. Use your change control system (Jira/GitHub Issues) so every fix has a ticket linking to configuration diffs or IaC commits. Keep a "public-systems" policy that specifies acceptable software/devops practices (no storing CUI on public sites, use pre-signed URLs for file sharing, require MFA for admin consoles). Train staff on how to handle discoveries and triage reports to reduce time-to-fix.
Testing, validation, and evidence for auditors
After fixes are applied, re-run scans and capture before/after artifacts: scan reports, TLS cert details, screenshots of console settings, and log extracts demonstrating attempted/blocked access. For continuous assurance, add automated checks in CI pipelines: dependency scanning (Trivy/Snyk), secret scanning, and a small periodic external scan (monthly). Maintain a short audit log that records discovery date, remediation action, owner, verification date, and artifacts location — auditors expect traceable evidence linking findings to remediation.
Risk of not implementing this control
Failing to audit and remediate public-facing systems risks inadvertent disclosure of CUI, account compromise, loss of DoD contracts, contractual penalties under FAR 52.204-21, and reputational damage. For a small business, a single exposed S3 bucket or misconfigured admin panel can lead to credential stuffing, data exfiltration, ransomware exposure, or debarment from federal contracting. Beyond compliance, these gaps are a clear operational security risk.
Summary: Treat public-facing systems as high-priority assets for your Compliance Framework program—inventory everything, run targeted technical checks, apply concrete remediations (TLS, WAF, secure storage, auth), document every step, and validate fixes with re-scans and CI-based checks. With clear ownership, an actionable POA&M, and simple automation, even small businesses can meet FAR 52.204-21 / CMMC 2.0 Level 1 AC.L1-B.1.IV expectations and significantly reduce their exposure.
