This post gives a practical, implementable checklist to help small businesses meet the access-control expectations in FAR 52.204-21 and CMMC 2.0 Level 1 (Control AC.L1-B.1.IV) for public-facing websites and portals — with concrete configuration examples, real-world scenarios, and compliance tips you can apply in weeks, not months.
Understanding the requirement and scope
At a high level, FAR 52.204-21 and CMMC Level 1 require basic safeguarding of Federal Contract Information (FCI) and implementation of simple access controls for systems that process or display that information. For public-facing web assets that host areas where contract information, employee access, or client portals exist, that means enforcing authenticated access for non-public areas, preventing unauthorized access attempts, and logging access events. For small businesses, the practical focus is: unique user accounts, basic authentication protections (including MFA where possible), session controls, and protections against automated attacks and brute-force attempts.
Practical checklist — quick overview
Use this condensed checklist as a starting point; each item below is expanded in the sections that follow and includes technical examples you can adopt immediately:
- Inventory and classify public-facing endpoints that handle or could expose FCI.
- Require unique accounts and enable MFA for all portal/logins.
- Limit failed logon attempts and throttle authentication endpoints.
- Enforce secure sessions and cookie settings (Secure, HttpOnly, SameSite).
- Apply TLS (1.2+) and security headers (HSTS, CSP, X-Frame-Options).
- Deploy WAF / rate limiting and bot protections.
- Log authentication events and retain logs for evidence of compliance.
- Document controls and perform periodic reviews and vulnerability scans.
Authentication and account controls (implementation details)
Require unique user accounts for any portal access that can interact with FCI and enable multi-factor authentication (MFA) where feasible. For small businesses using WordPress or CMS: install a trusted plugin (e.g., Wordfence or Limit Login Attempts Reloaded) and add an MFA plugin (TOTP or WebAuthn). For cloud-hosted apps, enable AWS Cognito, Azure AD B2C, or Google Identity Platform with MFA enforcement. Example technical configs:
- WordPress: enable two-factor with a TOTP plugin and set lockout after 5 failed attempts.
- Nginx: use auth_request with an identity provider or configure basic auth to deny after N attempts combined with fail2ban blocking.
- SSO/OAuth: disable implicit grants; require authorization_code with PKCE for public clients.
Session management, cookies and transport security
Enforce secure session practices: set session timeouts for inactivity (15–30 minutes depending on risk), rotate session IDs on login, and apply cookie flags. Example headers and settings:
- Set-Cookie: session=abcd; Secure; HttpOnly; SameSite=Strict; Max-Age=1800
- TLS: disable TLS 1.0/1.1, enable TLS 1.2+ with strong ciphers (ECDHE) and HSTS: Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
- Security headers: Content-Security-Policy to restrict script sources, X-Frame-Options: DENY, Referrer-Policy: no-referrer-when-downgrade
Protecting against automated attacks and rate limiting
Public-facing auth endpoints are a top target for credential stuffing and brute-force attacks. Implement layered protections: WAF rules, rate limiting at the edge, bot mitigation, and IP reputation blocking. Examples:
- Cloudflare: enable "Bot Fight Mode" or set a rate limit like 100 req/min on /login and challenge unknown clients with CAPTCHA.
- AWS WAF: create a rule to block more than N requests from same IP to /api/auth within a 5-minute window.
- Fail2ban: monitor web server auth logs and add IP bans after 5 failures for 1 hour; sample regex for WordPress login failures.
Logging, monitoring, and operational practices
Log all successful and failed authentication attempts, account changes, and administrative access. Retain logs for at least 90 days to support investigations and an audit trail. Use a simple centralized collector: CloudWatch Logs + CloudTrail for AWS, Azure Monitor, or a lightweight ELK/Graylog stack. Practical steps:
- Record username, source IP, timestamp, user agent, and reason for failure (locked, wrong password, inactive).
- Configure alerts for suspicious patterns (e.g., 10 failed attempts from multiple IPs targeting many accounts in 10 minutes).
- Document policies: password requirements, MFA enrollment, account provisioning/deprovisioning process and review these quarterly.
Real-world small business scenarios and examples
Example 1 — A 12-person contracting firm uses WordPress for marketing and a separate client portal for deliverables. Quick wins: move the client portal behind a subdomain protected by Cloudflare WAF, enable MFA for all client accounts, install rate-limiting rules on /wp-login.php, and enable strict cookie flags. Example 2 — A small SaaS on AWS: use Cognito for authentication, enforce MFA, add an AWS WAF rule for login throttling, enable CloudTrail and CloudWatch alerts for anomalous sign-ins. In both examples, document the configurations and run an authenticated scan (Nikto for basic web checks, and OWASP ZAP for login flows) to validate controls.
Risks of not implementing these controls
Failing to apply access controls and protections on public-facing websites and portals increases the risk of credential compromise, unauthorized access to FCI, data exfiltration, and business disruption. Beyond technical harm, non-compliance with FAR 52.204-21 can lead to contract penalties, loss of federal contracts, damage to reputation, and expensive incident response and remediation. For small businesses, even a single compromise can be existential — making these low-cost, high-impact controls essential.
Summary: implement the checklist items above starting with inventory and MFA, add session/cookie hardening and TLS, deploy WAF and rate limiting, centralize logs and document controls; validate with scans and periodic reviews. These practical steps will help your public-facing sites meet the intent of FAR 52.204-21 and CMMC Level 1 access control expectations while materially reducing your attack surface and exposure of Federal Contract Information.
