Multi-factor authentication (MFA) is a required element of FAR 52.204-21 and CMMC 2.0 Level 1 Control IA.L1-B.1.VI for authenticating users, processes, and devices; this guide walks a small business through planning, selecting, and implementing MFA across people, machine identities, and endpoints with concrete technical steps and real-world examples so you can produce audit-ready evidence.
Compliance context and objectives
Under the Compliance Framework for FAR 52.204-21 and CMMC 2.0 Level 1, IA.L1-B.1.VI requires that entities use multi-factor authentication to authenticate users, processes, and devices accessing controlled information and associated systems. Key objectives include preventing credential compromise, ensuring strong proof-of-identity for human and non-human actors, and producing demonstrable evidence (logs, configuration, enrollment records) for assessment. Implementation notes: document your scoping decisions, retain enrollment and conditional access logs as evidence, and treat exceptions as temporary with formal approvals.
Step-by-step implementation
1) Scope, inventory, and risk modeling
Start by inventorying all identities and access paths: human user accounts (employees, contractors), service accounts and APIs (processes), and managed/unmanaged devices (laptops, IoT, servers). Map which systems process CUI or support contract performance. Label each access path by risk (high/medium/low) and identify legacy apps that don’t support modern auth. For a small business (10–50 users) this can be a simple spreadsheet: username, account type, apps accessed, auth method today, and remediation notes. This scoping drives phased rollouts and evidence collection for the Compliance Framework assessor.
2) Choose MFA methods and technologies
Select authentication factors that balance security, usability, and cost. Prefer cryptographic factors (FIDO2/WebAuthn hardware tokens like YubiKey or platform authenticators) and push-based authenticators (Okta Verify, Microsoft Authenticator). Use time-based one-time passwords (TOTP) as a secondary option. Avoid SMS for primary authentication due to SIM-swap risks. For processes and devices, use certificate-based authentication (mTLS), OAuth2 client credentials with short-lived tokens, or machine identity solutions (HashiCorp Vault, Smallstep, PKI) rather than embedding static passwords. For small businesses, Azure AD (with Conditional Access), Okta, or Duo offer integrated MFA, single sign-on, and reporting that simplify compliance evidence collection.
3) Implement MFA for users (practical steps)
Integrate an identity provider (IdP) and enforce policies: example with Azure AD—enable Conditional Access targeting "All users" and "All cloud apps" then create a rule to "Grant access" when "Require multifactor authentication" and optionally "Require device to be marked as compliant." Exclude a documented break-glass emergency account with strict controls. For legacy SSO-less apps, deploy a SAML/OIDC gateway or use RADIUS + MFA (Duo Authentication Proxy) to protect VPNs and on-prem resources. For Linux & SSH: require public-key auth and add a second factor via pam_duo or pam_oath; for Windows, deploy Windows Hello for Business with certificate provisioning. Record screenshots of policy settings, enrollment rosters, and MFA challenge logs as part of your Compliance Framework evidence package.
4) Implement MFA for processes and machine identities
Processes and services should not use human-style MFA prompts; instead use strong machine identity and short-lived credentials. Implement mTLS for service-to-service calls with client certificates provisioned by an internal CA (Smallstep, Vault PkiSecretEngine, or enterprise PKI). Use OAuth2 client credentials with rotating secrets and rotate tokens frequently (minutes to hours) where feasible. For automation (backups, monitoring), store certificates/keys in a secrets manager (Vault) and enable automatic rotation and audit logging. A small business example: replace a hard-coded API key between invoicing system A and payment gateway with mTLS mutual authentication and upload the CA-signed client cert to the gateway; retain issuance logs for compliance evidence.
5) Implement MFA and posture checks for devices
Enforce device authentication and posture checks via MDM/UEM and device certificates. Require devices to be enrolled (Intune, JAMF) and compliant (disk encryption enabled, OS patched) before granting access. Use device-based certificates (SCEP or PKI) or device-based Conditional Access checks to ensure only managed, healthy devices authenticate without additional human prompt. For remote workers, ensure VPN and remote desktop gateways require both device compliance and a second factor at login. Example: configure Intune compliance policy that marks a device non-compliant if BitLocker is off; Conditional Access blocks non-compliant devices from accessing cloud apps.
Risks, compliance tips, and best practices
Risk of not implementing MFA is high: stolen credentials enable lateral movement, data exfiltration, and compromise of CUI—leading to contract termination, remediation costs, and failing a CMMC assessment. Practical compliance tips: (1) document your scoping and risk decisions and keep evidence (policy configurations, enrollment logs, break-glass procedures); (2) disable legacy authentication paths (basic auth, unauthenticated APIs) or place them behind a gateway; (3) implement least privilege and rotate service credentials frequently; (4) log and retain authentication events (recommend at least 90 days for investigation, longer if contractually required); (5) test rollback and emergency access procedures; and (6) train staff on phishing-resistant factors and enrollment workflows to reduce helpdesk friction.
In summary, meeting FAR 52.204-21 / CMMC 2.0 IA.L1-B.1.VI for MFA requires a scoped inventory, selection of cryptographic and push-based factors for humans, certificate and token-based approaches for machines, and device attestation via MDM. Implement with an IdP, conditional access, PKI/mTLS for services, and documented exception procedures—collecting configuration screenshots, enrollment lists, logs, and policies as evidence—so your small business both reduces risk and demonstrates compliance during assessment.
