This article gives practical, implementable guidance for meeting FAR 52.204-21 and CMMC 2.0 Level 1 control AC.L1-B.1.I by combining multifactor authentication (MFA), least-privilege access controls, and device management β focusing on what small government contractors need to do, how to do it, and why it matters.
What this control covers and why it matters
At a high level, FAR 52.204-21 and CMMC 2.0 Level 1 expect contractors to protect Federal Contract Information (FCI) and limit access to systems and devices that process or store that information. AC.L1-B.1.I is an access control practice that requires ensuring only authorized users on authorized devices can access covered systems β which is achieved through MFA, strict privilege assignment, and device posture checks. Implementing these controls reduces risk of credential theft, lateral movement, and inadvertent exposure of sensitive data; it also positions small businesses to pass contract audits and avoid contract penalties or loss.
Implementation: MFA β practical steps
Start by enforcing MFA for all remote access and for accounts that can access FCI. Practical steps: inventory identity providers (Azure AD, AD FS, Okta, Google Workspace), enable platform native MFA or integrate a third-party provider (Duo, Okta, Yubico). Prefer phishing-resistant methods for privileged users (FIDO2/WebAuthn tokens, hardware OTP) and avoid SMS as a primary factor. For Microsoft environments: enable Azure AD Conditional Access policies to require MFA for risky sign-ins and for sign-ins from legacy auth; set a policy that requires device compliance for MFA (see device management below). For on-premise VPNs and RDP, deploy an MFA gateway or RADIUS integration with your MFA provider. Document the rollout plan: pilot with IT and a business unit, then enforce for all contractor and privileged accounts within 30β90 days.
Implementation: Least privilege β practical steps
Least privilege means granting the minimum access needed for a user to perform their role and removing local admin rights wherever possible. Steps: create role-based access definitions (RBAC) for job functions, enforce group membership for access, and automate provisioning via scripts or an identity tool. Use Just-In-Time (JIT) and Just-Enough-Administration (JEA) for elevated tasksβexamples: enable Azure AD Privileged Identity Management (PIM) for cloud admin roles, use sudo with time-limited sessions for Linux, and deploy Microsoft LAPS to remove permanent local administrator passwords on Windows endpoints. Conduct quarterly access reviews and revoke unused accounts. For file shares and cloud storage, apply RBAC and ACLs rather than broad "Everyone" permissions. Track changes in a ticketing system so privilege requests have an audit trail for compliance reviews.
Implementation: Device management β practical steps
Device management enforces that only compliant, patched, and configured devices connect to your environment. Implement an MDM/EMM solution (Microsoft Intune, JAMF, MobileIron) and define baseline configurations: full-disk encryption (BitLocker/FileVault), screen lock, minimum OS versions, secure boot, EDR agent installed, and disk encryption enforced. Use device enrollment to create a trusted inventory and tag devices that are corporate-owned vs BYOD. Configure Conditional Access to require "device compliant" status for access to cloud resources and VPNs; integrate NAC (network access control) to limit unmanaged devices on the network VLANs. For BYOD, use containerization/app-protection policies to separate corporate data. Finally, establish automated patching, EDR alerts, and periodic configuration drift checks against a secure baseline image to ensure ongoing compliance.
Small business real-world examples and scenarios
Example A β 30-person contractor using Microsoft 365: enable Azure AD security defaults or Conditional Access, require MFA for all users, enroll corporate laptops in Intune with a compliance policy that enforces BitLocker and Defender for Endpoint, remove local admin rights via GPO and LAPS, and require MFA for VPN connections. Example B β 12-person firm with on-prem AD and a mix of cloud apps: deploy Duo for MFA integration (VPN, RDP, web SSO), use Local Administrator Password Solution (LAPS) and remove admin rights, inventory devices with an asset tag spreadsheet and migrate unmanaged machines off sensitive networks via a separate VLAN enforced by the firewall. These are low-cost, high-impact approaches that small budgets can implement within weeks.
Compliance tips and best practices
Create written policies: an Access Control policy, Device Management policy, and an MFA policy that defines acceptable authentication factors. Maintain an asset inventory and map which devices and accounts handle FCI. Use automation where possible: automate onboarding/offboarding to avoid orphaned accounts, schedule quarterly access reviews, and centralize logs (syslog, cloud audit logs) into a lightweight SIEM or cloud-native logging (e.g., Microsoft Sentinel, Elastic Cloud). Train staff on phishing and MFA enrollment. Keep evidence for audits: policy docs, enrollment screenshots, Conditional Access logs, and access review records β label and store these artifacts in a protected location for at least the retention period required by your contract.
Risk of not implementing these controls
Failing to implement MFA, least privilege, and device management increases risk of credential compromise, unauthorized access, ransomware, and exfiltration of FCI. Beyond the immediate operational impact, non-compliance can lead to contract penalties, loss of future contracting opportunities, mandatory incident reporting, and reputational harm. Practically, a single compromised admin account on an unmanaged laptop often leads to lateral movement and domain compromise; adequate controls materially reduce that attack surface.
Summary
To meet FAR 52.204-21 and CMMC 2.0 Level 1 (AC.L1-B.1.I), prioritize MFA for all sensitive access, enforce least privilege through RBAC and JIT elevation, and use an MDM/NAC combination to ensure only compliant devices connect to your environment. For small businesses, these steps are achievable with a phased plan: inventory identities and devices, pilot MFA and device enrollment, remove local admin rights, and keep records for audits. Implementing these controls reduces risk, simplifies audits, and strengthens your eligibility for government work.
