This post explains a practical, implementable approach to using multi-factor authentication (MFA), single sign‑on (SSO), and device certificates to meet the access control and authentication expectations of FAR 52.204-21 and CMMC 2.0 Level 1 (assessment objective IA.L1-B.1.V), with step-by-step advice tailored for small businesses operating under the Compliance Framework.
At a high level, FAR 52.204-21 demands basic safeguarding of federal contract information (FCI) in contractor systems, and CMMC 2.0 Level 1 focuses on basic cyber hygiene, including identity and authentication controls. IA.L1-B.1.V maps to ensuring authenticated access using multi-factor mechanisms and device verification where applicable. The combination of an IdP-based SSO, strong MFA methods, and device certificates provides layered assurance: you validate who the user is (MFA), where they are logging in from (SSO + conditional access), and whether the device itself is trusted (device certificates / mutual TLS).
Architecture and components to implement
Design a simple architecture with four core components: 1) Identity Provider (IdP) / SSO (SAML/OIDC) as central authentication and policy engine, 2) MFA platform supporting phishing‑resistant methods (FIDO2, hardware tokens, TOTP apps), 3) Device management / UEM (Intune, Jamf, Workspace ONE) to provision and manage device certificates, and 4) PKI (internal CA or vendor-managed) for issuing and revoking client/device certificates used for VPN, Wi‑Fi (EAP‑TLS), and mutual TLS to internal web apps. Connect applications to the IdP so you can enforce consistent MFA and session policies centrally.
Step-by-step implementation for a small business
Follow these pragmatic steps: (1) Select an IdP: Azure AD, Okta, or Google Workspace for SSO; for most small businesses, Azure AD Basic/P1 or Okta core provides the needed features. (2) Enable SSO across cloud apps via SAML/OIDC and require federation rather than app-specific credentials. (3) Turn on MFA for all user accounts and enforce at authentication time—prefer phishing-resistant factors: FIDO2/WebAuthn keys (YubiKey, platform authenticators) or certificate-based auth; TOTP apps (Authenticator, Google Authenticator) are acceptable as a fallback; avoid SMS OTP. (4) Deploy a UEM/MDM solution to enroll company devices and automate certificate provisioning (SCEP/EST). (5) Stand up a small PKI (Microsoft AD CS or a hosted PKI service) and create device certificate templates with appropriate lifetimes (e.g., 1 year) and key protection flags (require private key to be non-exportable, use TP M-backed keys when possible). (6) Configure VPN and Wi‑Fi to require client certificates (EAP‑TLS) or configure mutual TLS for internal web services. (7) Use Conditional Access policies (or equivalent) to require compliant device and MFA for access to sensitive apps or contractor data.
Technical specifics to track during implementation: configure SAML AuthnContext or OIDC authentication policies so the IdP asserts that MFA was performed (so relying parties can require it). For Azure AD, require "Strong authentication" or "MFA" in Conditional Access policies; for Okta, configure sign-on policies to require MFA and assign to groups. For device certificates: use SCEP/EST for automated enrollment via MDM; set certificate subject names to include device identifiers (e.g., CN=HOSTNAME, SAN=deviceid@company.com) so logs can tie sessions to specific hardware. Store keys in TPM or secure enclave and enable certificate template flags to prevent export.
Certificate lifecycle and revocation are critical: establish automated renewal (provision certificates with short validity — 6–12 months for devices) and implement OCSP stapling or maintain a reachable CRL for revocation in case of lost/stolen devices. If you use Microsoft AD CS, configure Authority Information Access (AIA) and CRL distribution points accessible to clients. If you choose a hosted PKI, verify they provide robust revocation and API-driven issuance.
Logging, monitoring, and evidence collection are essential for demonstrating compliance: enable sign-in and MFA logs in the IdP, audit certificate issuance in the CA, and collect device compliance events from the MDM. Forward these logs to a SIEM or even a simple log archive (S3/Blob + lifecycle policy) and retain per-contract retention guidance — conservative practice is to keep at least 12 months of authentication and certificate activity for audit purposes. For each control, generate policy documents and step-by-step runbooks describing enrollment, deprovisioning, and emergency "break-glass" procedures (with strong oversight and logging for break-glass use).
Real-world scenarios for small businesses: Example A — a 30-person subcontractor implements Azure AD SSO, enrolls devices with Intune, issues machine certs via AD CS for VPN and Wi‑Fi, and issues FIDO2 keys to administrators; they enforce Conditional Access requiring device compliance + MFA for any access to code repositories. Example B — a small engineering firm uses Okta with an integrated PKI vendor to provide client certs for mutual TLS on internal apps and mandates authenticator app MFA for remote logins; they keep evidence in a shared compliance folder with screenshots of IdP policies, cert templates, and a monthly access review report. Both setups can be implemented in weeks with modest monthly costs for IdP and MDM subscriptions.
The risks of not implementing these controls are significant: credential theft from phishing or password reuse, unauthorized access to FCI, loss of contracts or debarment, and real-world breaches that lead to financial and reputational damage. From a compliance perspective, failing to show consistent MFA enforcement, documented device enrollment, and certificate management during an audit puts you at risk of contract penalties or being ineligible for future work requiring basic cyber hygiene.
Practical compliance tips and best practices: document policies (enrollment, deprovisioning, certificate issuance), use phishing‑resistant MFA where possible, centralize authentication with SSO to reduce credential sprawl, minimize exceptions and review them quarterly, automate provisioning/deprovisioning (IdP + HR integration), implement least privilege access, and regularly test revocation and break-glass workflows. For evidence, capture configuration screenshots, export IdP and MDM reports, and store a versioned policy bundle in your compliance repository.
In summary, a small business can meet FAR 52.204-21 and CMMC 2.0 Level 1 IA.L1-B.1.V expectations by combining a centralized IdP/SSO, strong MFA (preferably phishing‑resistant), and device certificates provisioned and managed by an MDM/PKI solution. Implement these components with clear policies, automated workflows for enrollment/termination, robust logging, and regular reviews to provide both real security benefits and the auditable evidence auditors expect under the Compliance Framework.
