This post gives hands-on, auditable steps to configure secure remote access and VPNs so your small business can satisfy the FAR 52.204-21 safeguarding expectation and the CMMC 2.0 Level 1 access control objective AC.L1-B.1.III — namely: limit and secure remote access to authorized users and authorized devices when handling controlled or contractor information.
Understand the requirement and key objectives
At its core FAR 52.204-21 and CMMC Level 1 require basic cyber hygiene that prevents unauthorized remote access to contractor information systems. Key objectives for AC.L1-B.1.III include authenticating users before granting remote access, limiting access to authorized accounts and devices, protecting the confidentiality and integrity of remote sessions, and maintaining evidence (logs, configs, policies) to demonstrate compliance during contract reviews or assessments.
Inventory, authorization and least privilege
Step 1 — inventory and access policy
Start by inventorying who needs remote access, what they need to access (servers, file shares, cloud consoles), and why. Create an access policy that specifies approved roles, required approvals, and an access request workflow. For a 20–50 person small business handling Controlled Unclassified Information (CUI), typical roles with VPN access might be DevOps, Program Managers, and Contract Administrators. Limit default VPN accounts and assign least-privilege access to subnets or specific resources rather than allowing blanket access to the internal network.
Choose and configure the VPN technology
Step 2 — select a VPN model and secure defaults
Choose a VPN technology appropriate for your environment: site-to-site IPsec for branch interconnects; client-based SSL/TLS VPN or IKEv2/IPsec for users; or a cloud SASE/ZTNA service for smaller teams that prefer managed controls. Configure strong cryptography: require TLS 1.2+ (prefer TLS 1.3), use AES-256-GCM for data encryption, SHA-256+ for integrity, and at least 2048-bit DH / ECDHE (P-256 or stronger) for ephemeral keys. Disable legacy protocols (PPTP, L2TP without IPsec, SSLv3). Example OpenVPN server settings (strong baseline):
# OpenVPN strong defaults (example) tls-version-min 1.2 cipher AES-256-GCM auth SHA256 ncp-ciphers AES-256-GCM:AES-128-GCM persist-key persist-tun keepalive 10 120 push "route 10.10.0.0 255.255.255.0" # only required routes
For IKEv2 / strongSwan example proposals: ike=aes256-sha256-modp2048 and esp=aes256gcm16. Disable split-tunneling for systems accessing CUI — require full-tunnel or explicit per-resource tunnels so traffic to internal assets is inspected and logged.
Strong authentication and device verification
Step 3 — use MFA and certificate-based authentication
Require multi-factor authentication (MFA) for all remote VPN sessions. Prefer factors that are phishing-resistant (hardware tokens, platform authenticators, U2F/FIDO2, or certificate-based authentication) over only TOTP when feasible. Combine client certificates with user MFA: the certificate verifies the device, and MFA verifies the user. Integrate VPN authentication with a centralized identity provider (RADIUS, SAML, or LDAP-backed MFA providers like Duo, Okta, or Azure AD). Keep enrollment records and a process to revoke certificates immediately when devices are lost or users terminate.
Endpoint hardening, device posture and network segmentation
Step 4 — enforce device posture and segment sensitive resources
Implement endpoint checks before granting access: ensure OS patches are current, device encryption enabled, and endpoint protection software running. If your VPN product supports posture checks or device registration, require compliance as part of the login flow. Segment networks so VPN users see only what they need — e.g., place CUI storage on a dedicated VLAN/subnet with firewall rules that restrict access to known application ports and service accounts. Example firewall rule (iptables/ufw style): allow VPN client subnet 10.10.0.0/24 to reach 10.20.0.10:443 (CUI API) and block access to management ports 22/3389 except from admin jump-hosts.
Logging, monitoring, key rotation and incident response
Step 5 — collect evidence and prepare for incidents
Enable detailed VPN logs (authentication events, connection start/end, source IP, assigned client IP) and forward logs to a centralized log server or cloud log store for retention and review. Keep configuration backups and certificate/private-key rotation schedules. For incident response, create a playbook that includes: revoke compromised credentials/certificates, disable affected VPN accounts, revoke and reissue client certs, and perform forensic review of logs. Retain access logs for the period required by your contract (commonly 6–12 months) and produce them during audits.
Real-world small business example and practical tips
Example: Acme Engineering, a 30-person DoD contractor, used AWS Client VPN combined with Duo MFA. They created an IAM group for CUI access, restricted VPN pushes to the CUI subnet, disabled split-tunnel for CUI users, and used client certificates issued by an internal CA that the IT admin kept in an HSM-backed process. For evidence, Acme exported VPN configuration snapshots monthly, kept MFA enrollment lists, and archived VPN logs to CloudWatch for 12 months. If you prefer an easier path, a managed ZTNA provider (Cloudflare Access, Zscaler, or Okta Access) can replace a traditional VPN and provide built-in device posture, MFA, and logging with less operational overhead.
Risks of noncompliance and best practices
Failing to properly secure remote access risks unauthorized access, data exfiltration of CUI, contract penalties, loss of DoD contracts, and reputational damage. Best practices: document policies and approval workflows; use strong cryptography; require MFA and device verification; limit network scope; keep logs and configuration snapshots as audit evidence; schedule quarterly reviews and annual pen tests; and have a documented revocation and incident response process.
Summary: Implementing secure remote access to meet FAR 52.204-21 and CMMC 2.0 Level 1 is achievable for small businesses by applying a measured set of controls: inventory and least-privilege access, strong VPN configuration with modern ciphers, MFA plus certificate-based device authentication, device posture checks, tight network segmentation, comprehensive logging, and documented policies and evidence retention. These steps reduce risk, demonstrate compliance, and create an auditable trail for contract requirements.
