FAR 52.204-21 and CMMC 2.0 Level 1 Control AC.L1-B.1.I require contractors to limit access to covered contractor information systems to authorized users and devices — this post gives a deployable access restriction plan with practical steps, technical controls, a small-business implementation scenario, and a checklist/templates you can adapt today.
What the control requires (practical summary)
The requirement focuses on preventing unauthorized logical and physical access to systems that store, process, or transmit Federal Contract Information (FCI) or Controlled Unclassified Information (CUI) at the Level 1 scope. Practically this means: identify your covered systems, define who should have access, apply least privilege, enforce account controls and network rules, and document the process so auditors can confirm you met FAR 52.204-21 and the CMMC Level 1 expectation.
Step-by-step implementation roadmap (Compliance Framework specific)
Follow these steps in order: 1) Inventory covered systems and data flows; 2) Define roles and access rights (role definitions and a simple RBAC matrix); 3) Harden identity and device access controls; 4) Apply network segmentation and firewall/ACL policies; 5) Document the Access Restriction Plan, onboarding/offboarding, and periodic reviews; 6) Enable logging and retain evidence; 7) Train staff. For a Compliance Framework approach, map each step to an auditable artifact (policy, procedure, config snapshot, access review record).
Checklist — deployable and audit-ready
Use this quick checklist to confirm readiness (each line should link to an artifact):
- Inventory created listing systems, owners, and data classification (artifact: Inventory spreadsheet).
- Role-based access matrix defined and approved (artifact: RBAC matrix document).
- User account lifecycle policy (onboarding/offboarding) implemented and tested (artifact: onboarding checklist & HR sync proof).
- Authentication controls enforced (unique IDs, password policy, MFA for remote access) (artifact: auth configurations/screenshots).
- Network ACLs/firewall rules restrict inbound management and inter-segment traffic (artifact: firewall config/export).
- Endpoint and mobile device management in place for remote devices (artifact: MDM console screenshot).
- Access reviews performed quarterly (artifact: review logs, signed attestations).
- Audit logging enabled and retained for required period (artifact: SIEM/exported logs).
Technical controls and real-world small-business examples
Identity: Use your directory (Azure AD, Google Workspace, or local AD) as the single source of truth. Enforce unique accounts and, where feasible, MFA for remote or privileged access. Example: for a 20-person company using Microsoft 365, enable Conditional Access requiring MFA for sign-ins from outside the corporate IP range and block legacy auth. Example Azure CLI policy snippet: az ad conditional-access policy create --display-name "Block External without MFA" --state enabled ... (use portal to configure policies if CLI is unfamiliar).
Network: Segment your office network so contractors, printers, IoT, and management interfaces are on separate VLANs. On a small pfSense or Ubiquiti gateway, implement firewall rules that deny WAN -> LAN management ports (SSH, RDP, web GUI), and explicitly allow management only from a dedicated admin VLAN or VPN subnet. Example iptables-like rule for pfSense: Block WAN to 192.168.1.10:8443 (management) and allow access only from 10.10.100.0/24 (admin VPN).
Endpoints and devices: Enroll company laptops and phones in an MDM (Microsoft Intune, Google Endpoint, or Jamf). Enforce disk encryption (BitLocker or FileVault), screen lock, and block local admin where possible. Small-business scenario: a 10-seat firm can use Intune autopilot profiles to enforce BitLocker, require device compliance before access to company email, and push an approved list of apps — providing concrete evidence during inspection.
Onboarding / Offboarding template (policy excerpt and process)
Policy excerpt (one paragraph for your Access Restriction Plan): "All users requiring access to covered contractor information systems must be provisioned using the centralized identity service; access rights are granted based on role and business need, approved by the system owner; all accounts are unique and disabled within 24 hours of offboarding notification. Remote access requires MFA and company-managed devices." Process steps: HR triggers ticket -> IT provisions identity & device -> manager approves RBAC assignment -> access verified; offboarding reverses steps with immediate account disable and device wipe.
Access review cadence, logging and evidence
Run quarterly access reviews: export user lists, compare against the RBAC matrix, and capture manager attestations via email or ticketing system. Enable and retain logs for authentication and authorization events for at least 90 days (longer if contract requires). For small firms without SIEM, use native cloud audit logs (Azure AD sign-in logs, Google Workspace audit) and archive weekly snapshots to a secure storage location (S3 with restricted access or an on-prem NAS with hashing) to demonstrate retention.
Risks of not implementing the control
Failing to restrict access exposes FCI and potential CUI to unauthorized users and devices, increasing the risk of data breaches, contract noncompliance, loss of contracts, civil penalties, and reputational harm. Technically, unmanaged remote access, stale accounts, and flat networks are the most common vectors that lead to lateral movement and exfiltration. In audits, lack of documentation or evidence of access reviews is a frequent cause of findings that can delay contract awards.
Compliance tips and best practices
Practical tips: implement least privilege and RBAC from day one; automate provisioning with HR/ID connector to reduce orphan accounts; document everything with timestamps and signatures; use conditional access policies to reduce complexity; run tabletop exercises for offboarding; keep a minimal list of privileged accounts and protect them with strong authentication. For small businesses, leverage built-in cloud provider controls (Azure AD, Google Workspace) to achieve strong access restrictions without enterprise tooling.
Summary — a deployable plan ties policy, technical configuration, and evidence together: build an inventory and RBAC matrix, enforce identity and device controls, segment your network and lock down management interfaces, run regular access reviews, and store logs and artifacts for audits. Use the checklist and templates above as the starting point, adapt them to your environment, and you’ll have a practical, auditable plan that meets FAR 52.204-21 and CMMC 2.0 Level 1 AC.L1-B.1.I expectations.
