This post gives practical, step-by-step guidance for configuring firewalls, VPNs, and TLS to meet the basic safeguarding requirements of FAR 52.204-21 and CMMC 2.0 Level 1 (SC.L1-B.1.X), including concrete examples a small business can implement and evidence they should collect for assessments.
Understand the Requirement and Your Risk Profile
FAR 52.204-21 and CMMC Level 1 require "basic safeguarding" of Federal Contract Information (FCI); SC.L1-B.1.X maps to protecting the confidentiality and integrity of information in transit and limiting network exposure. Start by classifying where FCI and related systems live (on-prem, cloud, employee devices) and identify network boundaries where traffic crosses trust zones. For small businesses this usually means: office LAN to Internet, employee remote access, and cloud-hosted contractor systems.
Firewall Configuration: Principles and Concrete Rules
Implement a "default-deny" policy on every firewall (edge, host-based, and cloud security group). Practically: block all inbound connections by default; permit only specific source/destination/port combinations. Example rule set for a small office web service: allow inbound TCP 443 to the webserver's IP from 0.0.0.0/0, allow inbound TCP 22 only from a fixed admin public IP or jump host, and allow outbound DNS (UDP/TCP 53) and HTTPS (TCP 443) from internal subnets. On Linux servers use ufw/pf/iptables; e.g., UFW: sudo ufw default deny incoming; sudo ufw allow proto tcp from 203.0.113.5 to any port 22; sudo ufw allow 443/tcp. In AWS use Security Groups + NACLs: only open 443/443 and restrict 22 to management IPs. Maintain a firewall rule inventory and a change log as evidence.
Logging, Alerts, and Retention
Enable stateful logging on firewalls and forward logs to a central location (SIEM, cloud log service, or a secured syslog server). For small businesses use a managed logging service or a low-cost VM running Elastic/Graylog and retain logs for at least 90 days (adjust per contract). Configure alerts for repeated blocked attempts, unusual outbound connections, or port scans. Evidence: firewall rule export, log retention policy, and recent logs showing normal traffic and blocked events.
VPNs: Secure Remote Access and Site Connectivity
Use a VPN to protect remote access to internal resources and to avoid exposing management ports to the internet. For CMMC Level 1, a practical choice is either a modern TLS-based VPN (OpenVPN) or WireGuard. Configure authentication with strong user credentials and, where possible, certificate-based authentication rather than only username/password. Example WireGuard basics: use Curve25519 keys, unique keypairs per user, keep ListenPort on the server and only open that port in the firewall to known peers, and restrict AllowedIPs to internal subnets to prevent lateral tunneling. For OpenVPN, use tls-auth/tls-crypt, use AES-256-GCM or use TLS 1.3 with modern ciphers, and disable deprecated options like static keys or TLS 1.0.
Operational Controls for VPNs
Limit VPN account lifetimes and require unique accounts (no shared credentials). Maintain a roster of authorized VPN users and last-login evidence. Disable split tunneling unless absolutely needed; if used, document why and monitor outbound flows. For small businesses using cloud-managed VPN appliances (e.g., AWS Client VPN, Azure VPN Gateway, or vendor appliances like Cisco Meraki), leverage their built-in logging and MFA integration (where available) to strengthen access. Evidence: VPN user list, connection logs, client configuration baseline, and access approvals.
TLS Configuration: Protocols, Ciphers, and Certificate Management
TLS must be configured to use modern versions and ciphers. Require TLS 1.2 minimum and prefer TLS 1.3 where supported. Disable SSLv3/TLSv1.0/TLSv1.1. Example nginx snippet (practical): ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384'; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; resolver 1.1.1.1 1.0.0.1 valid=300s; resolver_timeout 5s. Use automated certificate issuance/renewal (ACME/Let's Encrypt or an enterprise PKI) and maintain a certificate inventory with expiration dates to avoid service outages.
Hardening TLS and Practical Tests
Disable weak key exchange (RSA key-exchange), enable forward secrecy (ECDHE), and prefer AEAD ciphers (GCM/ChaCha20-Poly1305). For web services enable HSTS, set secure cookies, and validate with scanners such as Qualys SSL Labs or Mozilla Observatory. Keep server libraries up to date (OpenSSL, NSS). Evidence for assessors: TLS configuration files, SSL/TLS scan reports showing A or A+ grades, cert inventory, and renewal automation logs.
Real-World Small Business Scenarios
Scenario A: Small subcontractor hosting FCI in AWS. Implement Security Groups with least-privilege rules, put management hosts in a bastion host subnet restricted by source IP, require SSM or managed jump hosts instead of opening SSH. Use AWS Client VPN or site-to-site IPsec with strong ciphers. Use Application Load Balancer terminating TLS (TLS 1.2/1.3) with ACM certificates and CloudWatch logs for access analysis.
Scenario B: On-premises office with mixed devices. Use a UTM/firewall (pfSense, Sophos, or SonicWall) configured with default deny, VPN for remote staff (WireGuard/OpenVPN), and a small log server (or cloud logging). Use a documented change control process: ticket for firewall change, reviewer sign-off, and export of rule diffs for compliance evidence.
Risks of Non-Compliance and Practical Mitigations
Failing to implement these controls increases the risk of FCI exposure, contractor breach notifications, contract termination, and loss of reputation. Technically, risks include credential theft via unencrypted channels, lateral movement after exposed management ports, and man-in-the-middle attacks due to weak TLS. Mitigations: enforce baseline configurations, schedule quarterly reviews, use automated scans, and retain artifacts (rule lists, logs, scan reports) for audits. Short-term compensating controls (if immediate remediation isn't possible) include network segmentation and additional monitoring.
Summary: For CMMC 2.0 Level 1 / FAR 52.204-21 compliance, implement default-deny firewalls with documented rule sets and logging, deploy VPNs with certificate-backed authentication and limited scope, and configure TLS to use modern protocols and ciphers with automated certificate management; collect and retain configuration exports, access logs, and scan reports as evidence. These practical steps, when combined with policies and periodic reviews, provide the defensible posture small businesses need to pass assessments and reduce the risk of FCI exposure.
