This post explains how to configure multi-factor authentication (MFA) to satisfy the intent of FAR 52.204-21 and CMMC 2.0 Level 1 control IA.L1-B.1.VI for users, processes, and devices, with practical steps, small-business examples, and the specific technical choices you should document for compliance.
Why MFA is required and the risk of not implementing it
At a high level, FAR 52.204-21 and CMMC 2.0 Level 1 require basic cyber hygiene to protect Controlled Unclassified Information (CUI) and contractor systems; the IA.L1-B.1.VI control emphasizes authentication strength for users, automated processes, and devices. Without MFA you leave credentials as a single point of failure—phished or leaked passwords can enable lateral movement, data exfiltration, ransomware, and loss of contracts or certification. For small businesses working with the DoD, one compromised account can result in a reportable incident, contractual penalties, and lost trust from prime contractors.
Scope: users, processes, and devices — what to cover
Define and inventory three scopes before implementation: (1) human users (employees, contractors, privileged admins), (2) automated processes and service accounts (CI/CD pipelines, scheduled jobs, API clients), and (3) devices/endpoints (workstations, servers, IoT). The Compliance Framework expects coverage across these scopes—document which identities are interactive and which are non-interactive, and ensure each category has an appropriate MFA or equivalent strong authentication mechanism.
Practical implementation steps — users
For interactive users, adopt a cloud or on-prem Identity Provider (IdP) that supports strong MFA methods and conditional policies. Examples: Azure AD (Microsoft Entra ID), Okta, Duo, Google Workspace. Implementation steps: enable user MFA registration enforcement (Azure: "Require MFA registration"), create Conditional Access policies that require MFA for external access and for administrative roles, and exclude only approved trusted IP ranges. Use strong second factors: FIDO2/WebAuthn hardware tokens (YubiKey, Feitian), platform authenticators (Windows Hello for Business), or authenticator apps (TOTP) as preferred; avoid SMS-based OTP as primary due to SIM swap risks. For local resources (RDP, SSH), integrate MFA via RADIUS/SAML connectors or agents: e.g., Duo NPS extension for Windows RDP/RD Gateway, or PAM/Duo Unix for SSH; for SSH, consider certificate-based authentication with short-lived certs plus optional hardware-backed FIDO2 for interactive logins.
Practical implementation steps — processes and devices
Non-interactive processes should not rely on long-lived static credentials. Replace service-account passwords with certificate-based authentication, OAuth2 client credentials with short-lived tokens (and rotate client secrets frequently), or use cloud-managed identities (Azure Managed Identities, AWS IAM Roles with STS). For device authentication, use device certificates (SCEP/EST) or MDM enrollment to ensure device identity and health attestation; couple device identity with conditional access (e.g., "Require device to be marked as compliant" in Azure Conditional Access). For machine-to-machine connections, prefer mutual TLS (mTLS) or signed JWTs issued by an internal CA/STS and rotate keys automatically using automation (HashiCorp Vault, cloud KMS). For CI/CD, use federated identity (OIDC) so runners get short-lived tokens instead of stored secrets (GitHub Actions OIDC → Azure AD example).
Small business example scenarios
Example A — 25-employee subcontractor using Microsoft 365: enable "Security defaults" or, better, Conditional Access policies in Azure AD requiring MFA for all access outside the office and for admins; issue hardware keys to IT/admins, require authenticator app for general staff, and enroll devices in Intune for device compliance. Example B — small engineering firm with a VPN and an on-prem file server: deploy Duo for VPN and RADIUS integration with the firewall (Palo Alto, FortiGate, or Cisco ASA), enable MFA on the VPN tunnel, and remove direct username/password logins for privileged workstation RDP by placing RD Gateway behind MFA. Example C — software vendor with automated deployments: stop using shared service account passwords; switch to GitHub Actions OIDC with Azure to mint tokens for deployments and use certificate-based auth for on-prem build agents.
Evidence, logging, and documentation for Compliance Framework audits
To demonstrate compliance, collect policy artifacts and operational evidence: screenshots of Conditional Access or IdP policies, MFA enrollment reports, lists of excluded accounts and approved exceptions, logs of authentication events (Azure AD sign-in logs, MFA challenge logs), and config for service-account authentication (certificate issuance records, short-lived token logs). Maintain a written MFA policy detailing accepted factors, break-glass procedures (emergency admin access with documented approvals), exception workflow and risk acceptance, and periodic review schedule. Keep retention and access logs in your SIEM or cloud logging solution and export samples for auditors.
Best practices and compliance tips
Implement phased rollouts (pilot group → department → org), require hardware tokens for privileged roles, enforce device compliance checks before granting access, and remove legacy fallback paths (e.g., VPN split tunneling or unnecessary local admin accounts). Create an MFA onboarding guide and run phishing-resistant training. For backups, store recovery codes securely in a company vault (e.g., enterprise password manager with access controls) and implement an auditable break-glass process. Periodically test your configuration with authentication flow reviews and red-team exercises focused on social engineering and service-account misuse.
In summary, meeting FAR 52.204-21 and CMMC 2.0 IA.L1-B.1.VI for MFA means taking a holistic, documented approach across users, processes, and devices: inventory identities, choose appropriate MFA mechanisms (favor phishing-resistant factors), eliminate long-lived credentials for automation, enforce device compliance, and produce the artifacts auditors need. For small businesses, practical choices like Azure AD Conditional Access, Duo for VPNs, hardware tokens for admins, and short-lived tokens for CI/CD provide a pragmatic path to compliance while significantly reducing real-world compromise risk.
