FAR 52.204-21 and CMMC 2.0 Level 1 IA.L1-B.1.VI require contractors to ensure that system accounts are uniquely assigned and that authentication uses multiple factors where appropriate; this post gives a practical, step-by-step approach for small businesses to implement unique accounts and multi-factor authentication (MFA) within the Compliance Framework practice, including specific technical examples, configuration snippets, and operational tips.
What the requirement means for your organization
The core objectives are simple: (1) every user must have a unique, attributable account (no shared human accounts), and (2) authentication must include additional factors beyond passwords for access to contractor information systems that process, store, or transmit Federal Contract Information (FCI). For Compliance Framework practice, interpret this as a policy + technical implementation pair: document the unique-account and MFA policy, then enforce it on identity providers, endpoints, VPNs, and servers. The policy should include exceptions handling (break-glass accounts), account lifecycle rules, and logging expectations.
Step-by-step implementation checklist
Start with an inventory: list all systems (cloud identity providers, SaaS, VPN, Windows/Mac/Linux endpoints, RDP/SSH access, service accounts). Next, define account types (human user, privileged admin, service account) and assign account policies: human users get unique accounts + MFA; privileged admin accounts require stronger MFA (hardware keys or FIDO2); service accounts must be non-interactive and credentialed via a vault. Then choose MFA technology that integrates with your environment (Azure AD, Google Workspace, Okta, Duo, or native platform MFA) and implement enforcement policies. Finally, enable logging/alerting, train users, and perform quarterly account reviews and attestations.
Technical configurations — cloud identity providers
Examples for common small-business platforms: For Microsoft 365 / Azure AD: enable Azure AD Security Defaults for simplest coverage (enforces MFA for admins and legacy apps), or create a Conditional Access policy to require MFA for all interactive logins and for external network access. In Azure AD Conditional Access, target "All users" (exclude one break-glass global admin), target "All cloud apps", and grant control "Require multifactor authentication". For per-user Quickstart MFA you can enable per-user MFA in the Microsoft 365 admin center. For Google Workspace: enforce 2-Step Verification for everyone and require Security Keys for admins. For Okta: create a Sign-On policy that requires push or U2F for all logins from untrusted networks.
Technical configurations — on-prem, SSH, VPN
For Linux servers accessed by SSH, avoid password-only logins: require public-key authentication plus an MFA step. Example sshd_config lines:
AuthenticationMethods publickey,keyboard-interactive:pam
PasswordAuthentication no
ChallengeResponseAuthentication yes
# /etc/pam.d/sshd
auth required pam_duo.so
Service accounts, shared accounts, and vaulting
Do not use shared human accounts. If an application requires a non-human identity, use a service account with the minimum privilege and store its keys/credentials in a secrets manager (1Password Business, LastPass Enterprise, HashiCorp Vault, Azure Key Vault). Configure short-lived credentials where possible (e.g., AWS STS or Azure Managed Identities). For any unavoidable shared credential (legacy systems), record it in the vault, require multi-person approval for retrieval, and rotate credentials automatically on a regular cadence (90 days or faster) — document these controls in your Compliance Framework artifacts.
Small-business real-world scenarios
Scenario A: A small contractor using Microsoft 365 and Azure AD — enable Security Defaults (or Conditional Access), require MFA for remote access, configure break-glass global admin in a hardware key, and send sign-in logs to Azure Sentinel or a SIEM (or even to a Log Analytics workspace) for monitoring. Scenario B: A dev shop with Linux servers and OpenVPN — enforce SSH public-key auth + Duo PAM, integrate OpenVPN with Duo via RADIUS, and use a password manager to hold service account credentials. Scenario C: A subcontractor with limited budget — use Google Workspace enforced 2-step verification, use a low-cost MFA provider (Duo free tier or Google Authenticator for TOTP), and store service credentials in a paid password manager to meet unique-account requirements.
Compliance tips and best practices
Keep these pragmatic tips: apply least privilege and role-based access control (RBAC); require MFA for all remote and privileged access; use hardware security keys (FIDO2) for admins where feasible; maintain an exception log for any shared-account usage and a documented expiration for exceptions; enforce multi-factor for any cloud management console (AWS, Azure, GCP); run quarterly user access reviews and remove orphaned accounts promptly; and automate evidence collection (screenshots, logs, conditional access policy IDs) so auditors can validate controls quickly. Train staff on enrolling factors and phishing-resistant MFA choices.
Risks of not implementing unique accounts and MFA
Without unique accounts and MFA you risk credential compromise, unauthorized access, lateral movement, and data exfiltration of FCI. For federal contractors this can mean lost contracts, corrective action plans, or debarment — plus reputational damage and direct financial loss. Technically, password-only access makes brute-force or credential-stuffing feasible; shared accounts remove accountability and hinder incident investigations. From a Compliance Framework standpoint, failure to document and enforce these controls will lead to non-conformance findings during assessments.
Summary: Implementing unique accounts and MFA is a straightforward, high-impact control to meet FAR 52.204-21 and CMMC 2.0 Level 1 IA.L1-B.1.VI. Start with an inventory, choose an integrated MFA solution that matches your environment, enforce unique accounts and vault service credentials, configure platform-specific policies (Azure Conditional Access, Google Workspace 2SV, Duo PAM for SSH), enable logging and periodic review, and document everything in your Compliance Framework practice artifacts. These concrete steps reduce risk, simplify audits, and are practical for small businesses operating under federal contracts.
