This post walks through practical Identity and Access Management (IAM) implementations you can use to meet FAR 52.204-21 and the CMMC 2.0 Level 1 control IA.L1-B.1.VI under a Compliance Framework practiceâcovering design, configuration examples (Azure, AWS, Google/SSO providers), day-to-day operations, evidence collection, and common audit expectations for a small business.
Understand the requirement in the Compliance Framework context
At Level 1 CMMC and under FAR 52.204-21 the emphasis is on basic safeguarding: ensuring only authorized users access covered contractor information systems and that authentication mechanisms are implemented and verifiable. Within a Compliance Framework practice, treat this control as an identity lifecycle and access enforcement requirement: unique IDs for users, authentication (preferably MFA), account lifecycle (provisioning/deprovisioning), and logging sufficient to prove "who accessed what and when" during an audit.
Design an IAM approach that maps to the Practice
Design around a few core principles: least privilege, unique user identities (no shared logins), multi-factor authentication for all interactive accounts, automated provisioning/deprovisioning linked to HR, and logging/alerting for sign-in events. In the Compliance Framework documentation, map each technical control to a policy, a procedure, a responsible owner, and a piece of evidence. For example: an âAccount Managementâ procedure (who creates accounts) maps to IAM groups/configurations (technical control) and to evidence (exported user list, onboarding tickets, deprovisioning timestamps).
Implementation examples and concrete configurations
AWS IAM (small-business setup)
Start by removing long-term root usage: enable hardware MFA for the account root and create an admin IAM user for emergency use. Create groups for roles (e.g., "Employees", "IT-Admins", "Contractors") and attach least-privilege policies (use AWS managed or custom policies scoped to specific actions and resources). Enforce MFA requirement by attaching an IAM policy that denies actions unless MFA is present, and enable IAM Access Analyzer. Turn on AWS CloudTrail for all regions and send logs to a centralized S3 bucket with object lock (or appropriate lifecycle), and enable AWS Config rules such as iam-password-policy and require-mfa-for-root. Evidence for audit: IAM user export (csv), MFA devices list, CloudTrail sign-in logs for the audit period, and IAM policy version history.
Azure AD / Microsoft Entra
For Office 365-centric small businesses, make Azure AD the identity source. Enforce Conditional Access policies: block legacy authentication, require MFA for all interactive logins (or at minimum for privileged roles), and require device compliance or specific trusted IP ranges for administrative access. Use Azure AD Identity Protection to detect risky sign-ins and enable sign-in logs and audit logs retention in Log Analytics / Sentinel or at least export to a secure storage account. Implement dynamic groups and SCIM provisioning for SaaS apps if supported. Evidence: Conditional Access policy screenshots/exports, sign-in logs with MFA claims, group membership exports, and a documented on/offboarding workflow correlated with HR records.
Okta / Google Workspace / SSO providers
If you use an identity provider (IdP) like Okta or Google Workspace, enforce 2-step verification for all users, enable app-level MFA requirements for SSO apps, and use SCIM to provision/deprovision accounts to downstream applications. Configure alerts for suspicious activity, disable legacy auth protocols where possible, and require context-aware access (e.g., geo/IP restrictions) for sensitive apps. Keep a record of provisioning approvals and automated deprovisioning events for audit trails.
Operational controls: daily/weekly/monthly tasks and audit evidence
Operationalize the technical controls: automate onboarding/offboarding (SCIM or scripted playbooks tied to HR tickets); run weekly checks that there are no active accounts without MFA; schedule quarterly access reviews where managers attest to user roles; and keep logs for sign-ins and admin actions for the audit window. For evidence, auditors expect: exported user lists with join/leave dates, MFA status snapshots, access review outputs (signed or logged attestations), configuration exports (e.g., JSON/XML of your Conditional Access / IAM policy set), and sign-in logs showing user authentication and MFA challenge events. Store these artifacts in a tamper-evident place (versioned document store or secure cloud bucket) and reference them in your Compliance Framework control mapping.
Real-world small-business scenarios and pragmatic trade-offs
Example 1: A 25-person subcontractor using Microsoft 365 can meet IA.L1-B.1.VI by enabling baseline Conditional Access, enforcing MFA for all employees, linking onboarding to Azure AD provisioning, and keeping sign-in logs for the audit period. Example 2: A 10-person firm on AWS with several contractors should disable root API keys, require MFA, create role-based groups, and use AWS CloudTrail & Config to detect changesâdocumenting each contractorâs start/end dates with ticketed approvals. For firms with limited budgets, prioritize MFA, unique accounts, and logs firstâthese give the most compliance value for little cost.
Risk of not implementing the control (and mitigation tips)
Failing to implement IA.L1-B.1.VI exposes you to unauthorized access, CUI exfiltration, loss of contracts, reputational harm, and possible contractual penalties. Specific technical risks include compromised shared accounts, credential stuffing on accounts without MFA, and no forensic trail to show who accessed data during an incident. Mitigations: enforce MFA, eliminate shared credentials, automate deprovisioning (reduce orphaned accounts), and keep a retention policy for logs that supports audit windowsâplus a simple incident response runbook that references your IAM evidence stores.
In summary, meeting FAR 52.204-21 / CMMC 2.0 Level 1 IA.L1-B.1.VI is achievable for small businesses by combining clear procedures (account lifecycle, access reviews), practical IAM configurations (unique IDs, MFA, conditional access, disabling legacy auth), and retained evidence (user exports, MFA status, logs). Implement these controls incrementally: prioritize unique IDs and MFA, add automated provisioning/deprovisioning, enable logging/alerts, and maintain a Compliance Framework mapping and evidence repository to streamline audits.
