FAR 52.204-21 and CMMC 2.0 Level 1 control AC.L1-B.1.III require organizations to restrict external access to systems processing government data — which in practice means combining a hardened VPN, strong multi-factor authentication (MFA), and endpoint controls (posture checks, EDR, encryption) so that only verified, compliant devices and users can access sensitive resources from outside your network.
Key objectives
The primary objectives for this control are: (1) ensure only authenticated and authorized external users can reach internal systems, (2) verify device posture before granting access, and (3) create auditable records of access attempts and actions. From a Compliance Framework perspective, you must demonstrate technical configuration (VPN and MFA settings), administrative policies (who can request remote access, enrollment practices), and operational evidence (logs, device inventory, posture failures and remediation).
Risks of not implementing these controls
Failing to implement VPN + MFA + endpoint controls exposes you to credential theft, lateral movement, and data exfiltration — especially dangerous for contractors handling Controlled Unclassified Information (CUI). Unprotected RDP/SSH portals and unmanaged remote endpoints are common attack vectors; without posture checks an attacker can use a compromised or out-of-date device to pivot into environments that store government data, resulting in contract loss, fines, and reputational damage.
Practical implementation — VPN configuration
Choose and configure the right VPN
Use a modern VPN solution that supports strong cryptography, client authentication, and integration with your identity provider. Options include WireGuard, OpenVPN Access Server, vendor cloud VPNs (AWS Client VPN, Azure VPN Gateway), or a SASE offering. Key configuration details: require TLS 1.2+/1.3; prefer ECDHE (P-256/P-384) for key exchange; use AES-256-GCM or ChaCha20-Poly1305; require client certificates AND user credentials (mutual TLS) where possible. Disable split tunneling for access to CUI systems — for OpenVPN use "redirect-gateway def1" or in WireGuard set AllowedIPs to 0.0.0.0/0 for routes you want forced through the tunnel. Limit admin interfaces to a management network and restrict VPN server access with firewall rules (e.g., allow UDP 51820 for WireGuard only from known IP ranges if applicable).
Practical implementation — Multi-factor authentication
Integrate MFA into the VPN and privileged access
MFA must be enforced at authentication points: VPN, cloud SSO, and any remote admin access (RDP, SSH). Use phishing-resistant methods (FIDO2/WebAuthn hardware tokens like YubiKey) for privileged accounts and staff with CUI access. For general users, push or TOTP (Authy, Google Authenticator, Microsoft Authenticator) is acceptable for Level 1. Architect MFA with a central identity provider (Azure AD, Okta, Duo) and use RADIUS / SAML or native integrations to plug into your VPN. For SSH, eliminate password logins and require key-based auth bound to a hardware token or an SSH CA; for RDP, require MFA bridging with an NPS/RADIUS agent. Avoid SMS-based OTPs for privileged users due to SIM swap risks.
Practical implementation — Endpoint controls and posture enforcement
Device hygiene, MDM, and network access control
Enforce endpoint controls via an MDM and posture check workflow before granting VPN access. Requirements should include full-disk encryption (BitLocker/FileVault), EDR presence and up-to-date definitions, OS patch level within a defined window (e.g., no more than 30 days behind), local firewall active, and no evidence of compromise. Implement NAC or conditional access: if posture fails, place the device in a remediations VLAN, deny access to CUI systems, and provide automated remediation steps (install agent, run updates). Use device certificates issued through an internal CA or SCEP for strong device identity, and ensure local admin rights are restricted; automate enrollment with Intune, Jamf, or your chosen MDM for consistent baseline policy enforcement.
Logging, evidence collection, and ongoing compliance
Document and retain logs to demonstrate compliance: authentication logs (who/when/from where), VPN connection metadata (device ID, posture checks), and EDR alerts. Forward logs to a central SIEM or log store (Splunk, Elastic, Azure Sentinel) and retain according to your contract/policy (common practice: 90 days for authentication events, longer for incident data). Maintain configuration snapshots of VPN and MFA policies (exported configs or screenshots), MDM policies, and evidence of enrollment/patch status for each device. Schedule periodic verification: review access lists quarterly, perform vulnerability scans monthly, and run tabletop incident response exercises annually.
Small-business example and checklist
Example: a 20-person small defense contractor. Implementation checklist: deploy Azure AD for identity, enable Conditional Access requiring MFA for all external sign-ins, use Azure VPN or OpenVPN with client certs + Azure AD RADIUS for the VPN, enroll devices in Intune with BitLocker and Defender for Business (EDR), and configure conditional access to allow VPN only from compliant devices. Keep an access spreadsheet mapping users to CUI roles, maintain a log retention policy, and create an emergency access account process (break-glass with hardware tokens, logged and reviewed). This configuration meets AC.L1-B.1.III by ensuring only authenticated users on compliant endpoints can access external systems hosting CUI.
Compliance tips and best practices
Operationalize compliance: automate posture checks and VPN provisioning, document change control for VPN/MFA configuration, and require proof of device enrollment before onboarding new users. Maintain at least two administrators with hardware token MFA for emergency access, rotate keys/certificates on a scheduled cadence (e.g., annually for certs), and disable legacy protocols (PAP, MS-CHAPv2) that weaken authentication. Conduct periodic audits and simulated phishing to ensure MFA enrollment and user awareness remain effective.
In summary, meeting FAR 52.204-21 and CMMC 2.0 Level 1 AC.L1-B.1.III requires a layered approach: a hardened VPN configured with modern ciphers and no split tunneling for sensitive traffic, strong MFA (preferably phishing-resistant for privileged accounts), and endpoint posture enforcement via MDM/EDR/NAC. For small businesses this can be achieved with a combination of cloud identity services, affordable EDR/MDM offerings, and strict logging/documentation practices that together form auditable evidence of compliance.
