This post gives practical, actionable steps to configure access controls that satisfy FAR 52.204-21 and CMMC 2.0 Level 1 (AC.L1-B.1.I) expectations by applying least privilege and multi-factor authentication (MFA), with real-world examples for small businesses running Office 365, cloud services, and on-prem systems.
Overview: What AC.L1-B.1.I and FAR 52.204-21 require
At a high level, FAR 52.204-21 requires basic safeguarding of contractor information systems and CMMC Level 1 AC.L1-B.1.I maps to a practice of limiting system access to authorized users and processes while ensuring authentication controls such as MFA for remote or privileged access; for Compliance Framework practitioners this means documenting account policies, implementing role-based permissions, enforcing MFA on all accounts with access to contractor-controlled data, and retaining evidence (logs, configurations, and periodic reviews).
Core implementation approach
Use a three-prong approach: (1) enforce least privilege through RBAC/policy-driven permissions and privileged access management, (2) require MFA for all interactive authentication that touches controlled data or administrative functions, and (3) automate provisioning/deprovisioning and record evidence for audits. For a small business this can be implemented without expensive tooling by using built-in identity providers (Azure AD, Google Workspace, Okta) combined with cloud IAM policies and simple endpoint controls.
Enforce least privilege with RBAC and Privileged Access
Map jobs to specific roles (e.g., finance_readonly, hr_upload, cloud_admin) and create groups for those roles in your IdP. Assign permissions to groups, not users. For Windows/Active Directory: avoid adding users to Domain Admins or local Administrators—use Controlled Group Membership or LAPS to manage local admin accounts. In AWS, use least-privilege IAM policies with role assumption (create a single IAM role for admins and use AWS SSO/PAM to grant temporary elevation). Implement a privileged access process: require just-in-time elevation (PIM in Azure AD) or session approval for admin tasks and log all privileged sessions. Sample practice: for a 20-person company, create 6 roles (Admin, IT-Support, Finance, HR, Engineering, Contractor) and limit S3/SharePoint write permissions to only the roles that need it.
Require MFA for all remote and privileged access
Enable MFA at the identity provider as a non-optional baseline: require hardware or app-based MFA for admin roles and all remote access methods (VPN, cloud console, email). Use conditional access to enforce MFA for risky sign-ins, access from unmanaged devices, or access to sensitive applications. Prefer phishing-resistant factors (FIDO2/WebAuthn hardware keys or platform authenticators) over SMS; authenticator apps (TOTP/Push) are acceptable for small shops. Example: in Azure AD create a Conditional Access policy that requires MFA for any sign-in to Microsoft 365 or IAM consoles from outside the corporate IP range and exclude documented break-glass accounts that are tightly controlled.
Provisioning, deprovisioning, and periodic reviews
Automate onboarding/offboarding via SCIM or the IdP's user lifecycle integrations so accounts are disabled when employees leave. Implement a 30/60/90-day account entitlement review cadence: a manager signs off on each employee's group memberships and privileged roles. Maintain an evidence package per review (export group membership CSVs, screenshots of Conditional Access policies, MFA status reports). For small businesses with contractors, create short-lived contractor accounts and require monthly reauthorization.
Practical technical examples for small businesses
Concrete examples: Azure AD - enable "Require MFA" via Conditional Access for all cloud apps, enable PIM for Global Admins, and set a 1-hour approval window for elevation. AWS - avoid permanent root usage, create IAM admin group with limited scope and require MFA for the AWS Console (MFA enforced in the console settings), and use IAM policies that deny actions outside required resources. Linux - limit sudoers to specific commands in /etc/sudoers.d and require an admin group; example line: "%itops ALL=(ALL) NOPASSWD:/usr/bin/systemctl, /usr/bin/journalctl" (avoid NOPASSWD in sensitive contexts). Windows - use GPO to restrict local admin rights and deploy Microsoft LAPS to rotate local admin passwords. Log all authentications to a central SIEM or cloud logging (Azure Monitor, CloudTrail, Google Cloud Audit Logs) and retain logs per Compliance Framework guidance (commonly 90 days+ depending on contract).
Risks of not implementing this control and compliance tips
Failing to apply least privilege and MFA increases the likelihood of credential compromise, lateral movement, and exfiltration of contractor-controlled information; consequences include contract loss, mandatory reporting under FAR, remediation orders, and reputational harm. Compliance tips: document policy statements (who can approve privileged access), produce a mapped controls matrix linking each technical control to AC.L1-B.1.I, retain artifacts for audits (policy docs, group lists, MFA reports, review sign-offs), and run tabletop exercises simulating compromised credentials to validate your response and break-glass procedures.
Conclusion
Meeting FAR 52.204-21 and CMMC 2.0 Level 1 AC.L1-B.1.I is achievable for small businesses by combining least-privilege RBAC, automated lifecycle management, and enforced MFA—implemented with IdP conditional access, cloud IAM policies, endpoint configuration (LAPS/GPO/sudoers), and logging for evidence. Prioritize phishing-resistant MFA for privileged users, run periodic entitlement reviews, and keep a simple, well-documented evidence package to demonstrate compliance to auditors and contracting officers.
