This post provides a hands‑on, practical roadmap to implement multi‑factor authentication (MFA) and strong identity mechanisms that satisfy NIST SP 800‑171 Rev.2 / CMMC 2.0 Level 2 control IA.L2‑3.5.2—authenticating users, processes, and devices—targeted at small businesses that handle Controlled Unclassified Information (CUI).
Why IA.L2‑3.5.2 matters and scoping for small organizations
IA.L2‑3.5.2 requires you to verify the identities of users, processes, and devices before granting access to CUI or entering protected environments—MFA is a key way to demonstrate the required level of assurance. For a small contractor (10–200 employees), scope typically includes: all user accounts that can access CUI (cloud apps, email, file shares), remote access points (VPN, RDP), privileged accounts (administrators, DevOps), and machine/service identities (CI/CD pipelines, servers, IoT endpoints). Document your scope in the System Security Plan (SSP) so auditors can trace policy to implementation and evidence.
Step‑by‑step implementation plan (actionable checklist)
1) Inventory and classify identities: enumerate user accounts, service accounts, and devices that can access CUI. 2) Determine required assurance levels: require phishing‑resistant MFA for privileged users and any administrative actions; standard MFA (TOTP, push) for regular users. 3) Choose technologies: FIDO2/WebAuthn or certificate‑based authentication for phishing resistance; TOTP (RFC 6238) as fallback; OAuth2 client credentials or mutual TLS (mTLS) for service/machine auth. 4) Integrate with identity provider (IdP): configure Conditional Access (Azure AD), Okta, or Duo to enforce MFA for scoped apps and network access (VPN). 5) Secure service and device identities: issue short‑lived device certificates (e.g., 90 days), use TPM/HSM-backed keys, and configure mTLS or signed JWTs for machine‑to‑machine auth. 6) Logging and evidence: centralize MFA events in your SIEM or cloud logs with retention aligned to your SSP. 7) Test, train, and roll out across production with a documented exception/POA&M process.
Technical specifics and examples
Users: Prefer phishing‑resistant methods. Deploy FIDO2/WebAuthn where possible (security keys, platform authenticators). For cloud services, configure SAML/OIDC IdP to require FIDO2 for privileged roles and TOTP for normal users. TOTP parameters: 6 digits, 30‑second timestep (RFC 6238), rate‑limit attempts. Avoid SMS and voice OTP for CUI access due to interception risk. Devices: Use device certificates and mTLS—implement SCEP/EST or an enterprise CA to provision certs, enforce TLS 1.2+ and ECC P‑256 or RSA 3072+ keys, set device cert lifetimes to 90 days and automate renewal. Processes/services: Use OAuth2 client credentials with short‑lived tokens (<1 hour) and rotate client secrets frequently or use mTLS client certs; store keys in an HSM or cloud Key Vault and restrict decryption to the host TPM when possible. SSH: Replace password SSH with signed OpenSSH certificates from an internal CA and require hardware keys for admin logins. VPN/RDP: put MFA at the gateway (VPN appliance or RD Gateway) so credentials never cross unprotected channels.
Real‑world small business scenarios
Scenario A — Small defense contractor (50 employees): The contractor enables Azure AD Conditional Access to require MFA for all Microsoft 365 and file‑share access. Privileged admin accounts are forced to use FIDO2 keys; staff use authenticator apps for day‑to‑day logins. CI/CD pipelines use Azure Key Vault and managed identities with role‑assigned access; build agents authenticate to artifact storage using mTLS and short‑lived certificates. Evidence: screenshots of Conditional Access policies, a list of enrolled FIDO2 keys, PKI issuance logs, and MFA event logs exported for the assessor.
Scenario B — Engineering firm with onsite devices: Devices are issued certificates from an onprem CA using SCEP; IoT measurement devices authenticate to central servers via mTLS. Service accounts for telemetry use client certificates stored in HSM-backed vaults. Remote engineers access CUI repositories through a VPN that enforces MFA with push notifications; admin access requires hardware tokens. Document device provisioning procedures and certificate lifecycles in your SSP and retain provisioning logs for audits.
Compliance tips, controls, and best practices
Map each deployed control to IA.L2‑3.5.2 in your SSP and maintain a test plan and evidence package (policy, screenshots, logs, device cert lists). Apply least‑privilege and role separation—never use admin accounts for mundane work. Implement break‑glass/admin workflow with time‑bounded elevated access and full auditing. Maintain an exceptions/POA&M that documents compensating controls when legacy systems cannot support modern MFA. Use continuous monitoring: alert on failed MFA flood, credential stuffing patterns, or unexpected token issuance. Keep configuration as code for IdP policies so changes are auditable.
Risks of non‑implementation
Without proper MFA and machine identity controls you expose CUI to credential theft, phishing, lateral movement, and supply‑chain compromise. Small businesses are particularly attractive targets because single compromised credentials can expose the whole environment. Beyond technical risk, failure to implement IA.L2‑3.5.2 risks non‑compliance findings, contract penalties, lost government business, and reputational damage. An attacker using a compromised admin account can disable logging, exfiltrate CUI, and obscure traces—costs that far exceed the implementation effort.
Implementing MFA and strong device/process identity controls is achievable for small organizations: start with an inventory, prioritize phishing‑resistant methods for privileged access, use certificates/mTLS for devices and services, centralize logs for audit, and document everything in the SSP and POA&M. These steps both harden your environment and produce the artifacts auditors look for under NIST SP 800‑171 Rev.2 / CMMC 2.0 Level 2 IA.L2‑3.5.2.
