This post explains how small and medium-sized organizations can implement VPNs, multi-factor authentication (MFA), and firewall controls to meet the Compliance Framework requirement AC.L2-3.1.20 under NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2, with concrete technical steps, real-world examples, and compliance evidence you should produce.
What AC.L2-3.1.20 requires and how these technologies map to it
AC.L2-3.1.20 requires protecting remote access and enforcing access controls for Controlled Unclassified Information (CUI); in practice that means cryptographically protecting remote sessions (VPN or TLS), applying MFA to authenticate remote users, and using firewall rules and segmentation to limit exposure. For the Compliance Framework, document how each control is implemented in your System Security Plan (SSP) and collect configuration and log evidence for assessment.
Step-by-step VPN implementation (practical, actionable)
Choose a VPN technology appropriate to your environment: IPsec (IKEv2) or SSL/TLS-based VPNs for traditional network-based access, WireGuard for lightweight site-to-site or user connections, or cloud-managed SASE/SD-WAN for hybrid cloud scenarios. Configure strong crypto—use AES-256 for IPsec, IKEv2 with SHA-2, DH group 14+ (or use modern WireGuard defaults which use Curve25519 and ChaCha20-Poly1305). Disable deprecated algorithms (no PPTP, no SSLv3, no TLS 1.0/1.1). For client VPNs, require certificate-based machine authentication or device posture checks in addition to user credentials.
Small-business example
A 25-person engineering firm can deploy a cloud-managed VPN appliance (e.g., Palo Alto GlobalProtect, Cisco Meraki, or an OpenVPN Access Server) with forced-tunnel VPN for corporate resources. Configure the appliance to accept only TLS 1.2/1.3, require client certs for laptops, and limit VPN client address space to a dedicated subnet (e.g., 10.10.100.0/24) that is segmented from guest Wi‑Fi and Internet-only subnets.
Implementing MFA correctly
Use MFA for all remote logons to CUI systems and VPN portals. Prefer phishing-resistant methods (FIDO2/WebAuthn, hardware tokens like YubiKey) or authenticator apps using TOTP (RFC 6238) as a minimum. Avoid SMS-based OTPs for high-risk accounts (they are interceptable). Integrate MFA with your identity provider—Azure AD Conditional Access, Okta, or a RADIUS-backed 2FA server for VPN appliances—so you can enforce policies centrally (e.g., block legacy auth, require MFA from unknown networks).
Practical config details
In your IdP, create an access policy that requires MFA for any sign-in from an untrusted network and for accounts in the "CUI Access" group. For VPNs that don't support modern OAuth flows, configure the VPN to use RADIUS to an MFA-aware service (Duo, SecureAuth) and log RADIUS accept/deny events centrally.
Firewall and segmentation best practices
Apply the principle of least privilege: only allow ports and protocols necessary for business functions. For a typical remote-access VPN, allow outbound TCP 443 (or UDP for WireGuard) to the VPN endpoint and restrict inbound rules to management IPs only (or use jump hosts/management VPN). Implement stateful inspection and application-layer filtering where available, use IDS/IPS signatures for C2 and exploitation attempts, and segregate CUI systems into a dedicated VLAN/zone protected by ACLs and firewall rules.
Small-business scenario
Example: an accounting firm isolates CUI on VLAN 20 with firewall rules that only permit RDP (TCP 3389) from the dedicated VPN subnet and SMB (TCP 445) only from specific servers. The firewall enforces NAT, stateful inspection, and logs all accepted/denied flows to a SIEM or cloud log store for 90+ days as evidence.
Operational controls, monitoring, and evidence for Compliance Framework
Document the configuration baselines in your SSP (VPN configs, MFA policy screenshots, firewall rule exports). Collect evidence: VPN connection logs (username, source IP, timestamp, session duration), MFA logs showing successful/failed challenges, firewall rulebase export and change history, and periodic vulnerability scans of VPN/firewall appliances. Set up alerting for anomalous remote access patterns (multiple failed logins, logins outside business hours, impossible travel). Maintain a POA&M for any gaps and record remediation timelines.
Risks of not implementing the control
Failure to protect remote access can lead to credential compromise, lateral movement into CUI repositories, data exfiltration, ransomware ingress, and ultimately loss of DoD contracts or fines. Technically, unencrypted or weakly authenticated remote sessions expose session hijacking and man-in-the-middle attacks; poorly configured firewalls and no segmentation allow a single compromised host to reach sensitive assets. From a Compliance Framework perspective, lack of documentation or logs can cause a failed assessment, requiring costly remediation and potential contracting penalties.
Compliance tips and best practices
Maintain a written access control policy that maps to AC.L2-3.1.20 and shows where VPN, MFA, and firewall controls enforce it. Use automated configuration management (e.g., Ansible, Terraform, or vendor APIs) to produce repeatable, auditable device configs. Use time-based access for high-privilege remote sessions and recorded jump hosts for remote admin access. Regularly test your configuration with internal red-team exercises or third-party assessments focused on remote access. Keep firmware and OS patched on appliances, and rotate certificates/keys on a documented schedule (e.g., certificates renewed annually, VPN PSKs avoided in favor of certs).
In summary, meeting AC.L2-3.1.20 requires a layered approach: cryptographically strong VPNs or secure remote access solutions, robust MFA (preferably phishing-resistant), and firewalls configured for least privilege and segmentation. For Compliance Framework evidence, produce configuration snapshots, logs, policy documentation, and remediation plans—this both reduces risk and demonstrates to assessors that your organization is managing remote access to CUI effectively.
