Multi-Factor Authentication (MFA) is a straightforward, high-impact control that the FAR 52.204-21 basic safeguarding requirement and CMMC 2.0 Level 1 (IA.L1-B.1.VI) expect contractors to implement for protecting covered contractor information systems; this post gives small businesses practical, step-by-step advice for selecting, configuring, documenting and monitoring MFA so you can both reduce risk and produce evidence for compliance.
Implementation overview — plan, inventory, and policy
Start with a short project plan and inventory: identify all user accounts, privileged/admin accounts, cloud consoles (Azure AD, Google Workspace, AWS), VPN and remote access points, and legacy systems that do not support modern auth. Draft a simple MFA policy that mandates MFA for all privileged and remote access (administrators, remote workers, contractor and vendor logins) and documents approved MFA factors (authenticator apps, hardware tokens, FIDO2; explicitly disallow SMS where feasible). For compliance mapping, annotate each system with the applicable FAR/CMMC citation and a brief statement of how MFA will be enforced and logged.
Technical configurations — concrete steps for common platforms
For Microsoft 365/Azure AD: enable Azure AD MFA or Conditional Access policies. Best practice is to create Conditional Access rules that require MFA for all admins and for sign-ins from unmanaged devices or risky locations; disable legacy/basic authentication (Exchange Online basic auth). Example actions: assign MFA to Directory Roles, enable self-service password reset with MFA verification, and create a Conditional Access policy that targets All Cloud Apps + All Users but excludes a break-glass admin account that is tightly controlled and protected with a hardware token. For Google Workspace: enforce 2-step verification and require security keys for admin accounts. For AWS: enable MFA on the root account and require MFA for privileged IAM roles — enforce via an IAM policy condition such as "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}} so API actions are denied unless MFA is present.
Examples for small businesses
Small-business concrete examples: a 20-person subcontractor can enable Azure AD free MFA for admins and Entra Conditional Access if available through their license, or adopt Duo/Okta for more granular controls. For VPNs, configure RADIUS or SAML with your IdP so users authenticate with MFA before VPN tokens are granted. For SSH access to Linux servers, require certificate-based SSH and integrate Duo or a PAM module that prompts for a second factor; avoid opening SSH directly to the internet without MFA + bastion host. For Windows endpoints, deploy Windows Hello for Business or smart card-based authentication where possible, otherwise use the Microsoft Authenticator app combined with Intune device compliance checks.
Service accounts, legacy systems, and compensating controls
Service or machine accounts that cannot use interactive MFA require compensating controls: convert them to managed identities (Azure Managed Identity, AWS IAM Roles for EC2/Lambda) or use short-lived tokens issued by a secrets manager (HashiCorp Vault, AWS Secrets Manager). If you must keep legacy systems, restrict network access with firewall rules, apply strict least privilege, and monitor any accounts' activity closely with alerting on anomalous behavior. Document any compensating controls in your compliance artifacts and include a risk acceptance signed by leadership if full MFA cannot be immediately applied.
Monitoring, logging, and evidence collection for auditors
Enable and retain authentication logs (Azure Sign-in logs, Google Workspace Audit logs, AWS CloudTrail) and configure alerts for events that matter: MFA disablement, new MFA devices added, failed MFA attempts, and sign-ins from unusual locations. Export logs to a SIEM or even a central log store (Azure Monitor/Log Analytics or an S3 bucket + Athena) and keep snapshots or reports showing MFA-enforcement over time. For an audit package include: system inventory mapping to FAR/CMMC, policy document, screenshots of Conditional Access/MFA settings, list of protected accounts, and sample logs showing successful MFA enforcement over a 30–90 day period.
Compliance tips and best practices
Use phishing-resistant factors for privileged accounts (hardware security keys / FIDO2) and require them for break-glass and admin users. Disable SMS as an enrollment or recovery option where possible, because SMS is susceptible to SIM swapping. Enforce the principle of separate accounts: staff should have a standard user account for daily work and a dedicated admin account for privileged actions, both protected by MFA. Run a pilot with the most critical group (administrators + remote users), measure helpdesk impact, update onboarding/offboarding checklists to include MFA provisioning/deprovisioning, and train users on enrollment and recovery flows. Finally, document your rollout and change control in your enterprise change log so you can show planning and governance during assessment.
Risk of not implementing MFA
Failing to implement MFA leaves credentials as a single point of failure: stolen or phished passwords can give attackers immediate access to email, file shares, IP-connected devices, source code and cloud consoles — a common path to ransomware, data exfiltration or supply-chain compromise. For contractors this can mean lost contracts, suspension from DoD procurements, costly breach remediation, and reputational damage that small businesses rarely recover from quickly. In real-world small-business scenarios, an absent-MFA compromise has led to replacement of entire systems, regulatory reporting obligations, and multi-week business disruption.
Summary — take these steps now: inventory your accounts, choose phishing-resistant MFA for privileged users, enable platform-native MFA and conditional access (or integrate a reputable IdP like Duo/Okta), remove legacy auth where possible, document compensating controls, and keep logs for evidence. With a short project plan, pilot and phased rollout, a small business can meet FAR 52.204-21 and CMMC 2.0 Level 1 expectations for IA.L1-B.1.VI while substantially reducing the likelihood of a damaging compromise.
