This post provides a practical, step-by-step checklist to meet FAR 52.204-21 and CMMC 2.0 Level 1 control AC.L1-B.1.I — limiting system access to authorized users, processes, and devices — with actionable configuration notes, small-business examples, and compliance tips tailored to the Compliance Framework context.
Step-by-step checklist (high level)
1) Inventory and classify: start by creating an authoritative inventory of users, endpoints (laptops, servers, printers, mobile devices), network devices, and business processes that access controlled systems. Use a simple CMDB/spreadsheet or an inventory tool (SCCM/Intune, GLPI, OCS-NG) and mark which assets handle Controlled Unclassified Information (CUI). 2) Define access roles and mapping: create a minimal set of roles mapped to job functions (RBAC). Document which users/processes are authorized for each role and which devices are permitted (e.g., corporate-managed laptops only).
3) Enforce identity and authentication: require unique IDs for all users; enforce multi-factor authentication (MFA) for interactive and administrative access (use Azure AD MFA, Duo, or a similar service). Configure session timeouts and password/credential policies consistent with the Compliance Framework and your organization’s policy. 4) Device authorization and enrollment: enroll devices in an MDM (Intune, Jamf) or implement certificate-based device authentication (802.1X with RADIUS). Block unmanaged devices from accessing internal resources using NAC or conditional access policies.
5) Process and application controls: implement application allowlisting to limit which processes can run on endpoints and servers. On Windows use AppLocker or Microsoft Defender Application Control (MDAC); on Linux use SELinux, AppArmor, or systemd unit hardening. Combine with EDR/AV configured to block execution of unsigned binaries and scripts from non-approved locations. 6) Network segmentation and access control: implement VLANs and ACLs on switches/routers to separate CUI systems from general user networks, and configure firewall rules to restrict inbound/outbound flows to required services only (e.g., only allow SMB from file server VLAN to backup server, disallow peer-to-peer file sharing across VLANs).
7) Privilege management and least privilege: restrict local admin rights using centralized management (GPO for Windows: remove local admin membership via Group Policy Preferences or LAPS; for Linux use limited sudoers entries). Use just-in-time or approval-based elevation for admin tasks where feasible. 8) Logging, monitoring, and periodic review: centralize logs (Windows Event Forwarding, syslog to Elastic/Graylog/Splunk) and review access logs for anomalies; implement a scheduled access review process (quarterly) to remove stale accounts and decommissioned devices.
Implementation notes specific to Compliance Framework
Under the Compliance Framework approach, map each checklist item to the required control language and evidence types: inventory spreadsheets, role matrices, MDM enrollment screenshots, MFA configuration reports, AppLocker/SELinux policy files, firewall ACL exports, and access review minutes. Use baseline configuration templates (e.g., Windows GPO exports or Linux CIS benchmarks) as implementation evidence, and store evidence in a controlled repository (versioned and access-controlled) for audits and FAR 52.204-21 contract obligations.
Real-world small-business scenario
Example: a 25-person engineering firm with a mix of remote and on-site staff. Step 1: the firm uses Microsoft 365 with Azure AD and Intune. They inventory 30 endpoints in a simple spreadsheet and tag 8 machines that process CUI. Step 2: they create RBAC roles (Engineer, Contractor, Admin) and restrict CUI access to Engineers only. Step 3: enforce Azure AD MFA and conditional access that requires device compliance from Intune. Step 4: App whitelisting is implemented using AppLocker for Windows endpoints and SELinux policies on the on-prem Linux file server. Network segmentation is achieved with a managed router (VLAN for office, VLAN for CUI systems) and RADIUS authentication for Wi‑Fi. Logs are forwarded to a low-cost cloud SIEM (Elastic Cloud) for weekly review. This approach uses commercially available tools and minimal staff time while producing clear evidence for compliance reviewers.
Compliance tips, best practices, and risk of not implementing
Tips: automate enrollment and deprovisioning where possible (Azure AD Connect, Intune Autopilot), enforce device compliance checks before granting access (conditional access policies), and use certificates for machine authentication rather than MAC addresses. Best practices include enforcing MFA for all users with access to CUI, requiring firmware and OS patching on enrolled devices, and documenting all access decisions in role/access matrices. Risk: failing to limit access increases the attack surface — unauthorized users or processes can exfiltrate CUI, enable lateral movement for ransomware, or cause loss of contract eligibility under FAR 52.204-21. Non-compliance may lead to contract sanctions, reputational damage, and potential loss of future federal work.
In summary, meeting AC.L1-B.1.I under FAR 52.204-21 / CMMC 2.0 Level 1 is practical for small businesses when approached methodically: inventory assets, define least-privilege roles, enforce MFA and device enrollment, apply application allowlisting, segment networks, and maintain logging and periodic reviews. Each step produces tangible evidence for auditors and materially reduces the risk of unauthorized access to systems and CUI.
