This post provides a practical, step-by-step approach to implement FAR 52.204-21 and the CMMC 2.0 Level 1 control AC.L1-B.1.I—limiting information system access to authorized users, processes, and devices—targeted at small businesses that must protect Federal Contract Information (FCI) while keeping implementation affordable and auditable.
Overview and Compliance Context
FAR 52.204-21 requires basic safeguarding of contractor information systems, and CMMC 2.0 Level 1 AC.L1-B.1.I specifically requires that access to information systems be limited to authorized users, processes acting on behalf of authorized users, and authorized devices; implementation should be documented, repeatable, and demonstrable to assessors or contracting officers. For a Compliance Framework approach, treat this control as a combination of policy, identity lifecycle, device management, access enforcement, and monitoring/recording for evidence.
Step 1 — Identify and Inventory Users, Processes, and Devices
Begin with a living inventory: a directory of user accounts (employees, contractors, service accounts), a catalog of authorized processes/services (web apps, scheduled jobs, APIs), and an inventory of devices (corporate laptops, mobile devices, IoT/OT equipment). Capture owner, purpose, classification (CUI vs FCI vs public), location, and authentication method. For small businesses, a spreadsheet or lightweight CMDB is acceptable if it includes date-stamped records; include columns for account creation date, last login, associated group membership, and deprovisioning status. This inventory is your primary evidence artifact for auditors and the basis for access decisions.
Practical example — small manufacturing firm
A 25-person shop might track: 20 employee user accounts in Azure AD, 3 service accounts for backups and ERP integrations, 12 Windows laptops managed via Microsoft Intune, 6 operator tablets on a separate OT VLAN, and one on-prem file server. The inventory must show which accounts can access contract-related documents and which devices are allowed on networks carrying that data.
Step 2 — Implement Access Controls for Users
Apply least privilege and role-based access: map job functions to access roles, create AD/IdP groups for those roles, and assign permissions at the group level rather than to individual accounts. Implement account lifecycle controls: automated provisioning/deprovisioning via HR triggers or SCIM where possible, disable or remove accounts within 24–72 hours of departure, and eliminate shared interactive accounts. Where feasible, require multifactor authentication (MFA) for access to cloud services and any system storing contract data—Azure AD Conditional Access or Google Workspace context-aware access are practical solutions. For on-prem Windows, enforce group policy settings such as "Deny log on locally" for sensitive systems and centrally manage local admin rights (use LAPS for local admin password management). Document group membership reports and Conditional Access policies as artifacts.
Step 3 — Limit and Authorize Processes and Service Accounts
Ensure that only approved processes and service accounts can access sensitive resources. Use managed service accounts (gMSA) in Active Directory for Windows services, and create tightly scoped Linux service accounts with no shell and minimal sudo privileges (define explicit sudoers entries, e.g., backupuser ALL=(root) NOPASSWD: /usr/bin/rsync). Implement application allowlisting: AppLocker or Windows Defender Application Control (WDAC) for Windows hosts, and package-signed verification or containerization for Linux. Restrict API keys and service credentials to specific hosts and rotate secrets regularly. Keep a registry of approved service accounts with their assigned capabilities and scheduled review dates for audit evidence.
Step 4 — Control Devices and Network Access
Control which devices may access systems that hold contract data. Use MDM (Microsoft Intune, Jamf, or similar) to enforce device configuration, ensure disk encryption (BitLocker, FileVault), and require device compliance for access. Implement network segmentation: put CUI/FCI services on a separate VLAN and restrict access with ACLs or firewall rules; for wired/wireless access enforcement use Network Access Control (802.1X) or a simpler NAC product and maintain a device certificate inventory. For cloud resources, restrict access to known device identities via conditional access policies that check device compliance. Record device compliance reports, VLAN maps, and firewall rulesets as part of evidence.
Step 5 — Logging, Monitoring, and Collecting Evidence
Enable and centralize logs to demonstrate controls are working: collect authentication logs (Azure AD sign-ins, Windows Event IDs 4624/4634, Linux auth logs), NAC connection logs, MDM compliance reports, and application audit trails. Retain logs for the period required by contract or policy (document your retention policy). Create periodic reports showing account reviews, disabled accounts, and device compliance status. For audits, provide snapshots: group membership exports, Conditional Access policy export, GPO settings, sample event logs showing denied access attempts, and signed policy documents. Where possible, automate evidence collection with scripts or SIEM dashboards to reduce manual effort during assessment.
Compliance Tips and Best Practices
Automate identity lifecycle and deprovisioning (connect HR → Active Directory/IdP), implement principle of least privilege, and establish a quarterly access review process with documented approvals. Use MFA even if not strictly required by Level 1—it's low-cost and high-impact. Avoid relying solely on MAC address filtering; use device certificates or MDM posture checks for stronger assurance. Maintain a single source of truth for user and device inventory, document all policies and exceptions, and implement a change control process so access changes are traceable. Train managers on their role in access reviews and maintain an incident response playbook that includes compromised account handling and evidence preservation.
Risk of Not Implementing This Requirement
Failure to limit access to authorized users, processes, and devices exposes contract data to unauthorized disclosure, ransomware, lateral movement, and supply chain compromise. Non-compliance can lead to contract termination, loss of future government business, possible financial penalties, and reputational damage—small businesses are often targeted because they have weaker controls. Additionally, lack of demonstrable controls can fail a CMMC assessment or FAR compliance review, which directly impacts eligibility for DoD contracts.
In summary, meeting FAR 52.204-21 and CMMC 2.0 Level 1 AC.L1-B.1.I is achievable for small businesses by building a documented inventory, enforcing least privilege and role-based access, controlling service accounts and allowed processes, managing device posture and network segmentation, and centralizing logs and evidence for audits. Start small with strong identity controls and device management, automate deprovisioning and reporting, and maintain routine reviews so your controls remain effective and demonstrable to assessors and contracting officers.
