This checklist-style guide walks you through configuring authentication controls to meet FAR 52.204-21 and the CMMC 2.0 Level 1 control IA.L1-B.1.VI, focused on practical steps a small business can implement today to protect covered defense information and demonstrate compliance.
Understanding the requirement and key objectives
At a high level, FAR 52.204-21 and CMMC Level 1 require basic cyber hygiene around identification and authentication: uniquely identify users, control access to systems that process or store covered information, and ensure authentication methods are configured to reduce unauthorized access risk. Key objectives are: (1) ensure only authorized people can access contractor systems, (2) apply multi-factor or strengthened authentication for remote/privileged access, (3) centrally manage account lifecycle and authentication settings, and (4) produce configuration and audit evidence for assessment.
Implementation notes specific to Compliance Framework
Start by scoping systems that process covered information (CUI) and define an identity architecture in your Compliance Framework documentation: authoritative identity provider (IdP) such as Microsoft Entra ID/Azure AD, Okta, or a local Active Directory, plus standards for authentication strength, password policy, MFA rollout, and privileged account management. Document where identities exist (cloud SaaS, Windows domains, Linux servers, VPN appliances) and map each to an authentication control owner responsible for configuration and evidence collection.
Technical configuration recommendations (examples you can implement)
Concrete settings that satisfy basic authentication controls: enforce unique user IDs; set minimum password length to at least 12 characters (encourage passphrases), block known compromised/passwords using a banned list, and allow long passphrases (64+ chars) where supported. For on-prem Windows, use Group Policy: Computer Configuration → Policies → Windows Settings → Security Settings → Account Policies → Password Policy (min length 12, complexity enabled, history 24). For Linux servers, enforce password hashing with SHA-512/argon2 and configure PAM modules (pam_unix + pam_faillock) to implement progressive throttling (e.g., deny_after=5, unlock_time=900). For SSH, disable password authentication (PasswordAuthentication no) and require key-based auth and MFA for remote admin access via a Duo or WebAuthn integration.
MFA deployment and conditional application
Require multi-factor authentication for all remote access, administrative roles, and external-facing applications. For small businesses using Office 365 and Azure: enable Microsoft Entra Conditional Access policy that requires MFA for all sign-ins from untrusted networks and for users in an "Administrators" group. Prefer phishing-resistant MFA (FIDO2 / hardware tokens) for privileged accounts; at minimum use push or TOTP with device attestation for standard users. If you have a VPN, integrate it with your IdP via RADIUS/TACACS+ or a gateway and enforce MFA at the VPN access layer.
Checklist — practical, actionable steps
1) Inventory identities and systems processing CUI; map to IdP. 2) Configure unique accounts and disable shared accounts; convert service/shared accounts to managed service accounts or use scoped service principals. 3) Implement password policy: min length >=12, ban common passwords, store salted hashed credentials, avoid forced periodic resets unless compromise suspected. 4) Deploy MFA: require for admin roles, remote access, and all cloud console logins. 5) Harden remote access: disable SSH password auth, enforce certificate or key-based access + MFA. 6) Configure account lockout or progressive throttling (e.g., 5 attempts then incremental delays/unlock after 15 minutes). 7) Centralize logging (Windows Event logs, Azure sign-in logs, syslog) and retain evidence for assessments (config snapshots, policy screenshots, MFA enablement reports). 8) Document procedures: onboarding/offboarding, privileged access approvals, emergency access, and periodic review cadence (quarterly for privileges).
Real-world small business scenarios
Scenario A — 25-employee engineering small business using Office365 and an on-prem VPN: register all users in Azure AD, enable SSO for SaaS, configure Conditional Access to require MFA for VPN and external admin portals, and integrate the VPN with Azure AD via a RADIUS extension or a SAML-capable gateway. Scenario B — Mixed Windows/Linux environment with local file server: join Windows machines to AD, apply GPO password policies, deploy Duo for Linux SSH to require MFA on all root or sudo activity, convert cron/service accounts to managed service accounts, and log authentication events to a small SIEM (e.g., a cloud log host) for 90 days retention.
Compliance tips, evidence collection, and best practices
Evidence for an assessor should include: screenshots of IdP configuration (MFA policies, conditional access rules), export of current group memberships for privileged groups, policy GPO snapshots or local config files (/etc/pam.d/*), proof of MFA enrollment for a representative sample of users, and authentication logs showing MFA challenges and successful authenticated sessions. Best practices: use least privilege, avoid shared admin accounts, enforce account lifecycle (disable within 24 hours of termination), rotate service credentials using a secrets manager, and automate onboarding/offboarding via SCIM where supported.
Risk of not implementing or misconfiguring authentication controls
Failure to apply these controls increases the risk of credential theft, unauthorized access to covered information, lateral movement, and data exfiltration. For contractors, that can lead to lost contracts, mandatory reporting, costly incident response, and reputational damage. Example: a compromised user without MFA leads to an attacker accessing design files, causing contract suspension and multi-week remediation that a small business can't absorb.
Summary: Meet IA.L1-B.1.VI and FAR 52.204-21 by scoping identities, centralizing authentication, enforcing strong password and MFA policies, hardening remote/admin access, and retaining configuration and log evidence. For small businesses, prioritize deploying an IdP with MFA, converting shared/service accounts to managed identities, documenting policies and evidence, and scheduling quarterly reviews to keep the controls effective and auditable.
