This post gives a practical, implementation‑focused checklist to configure web and cloud settings in order to meet the access control expectations represented by FAR 52.204-21 and CMMC 2.0 Level 1 (Control AC.L1-B.1.IV) under the Compliance Framework — with step‑by‑step examples a small business can apply today.
What this control expects (practical interpretation)
At Level 1, AC.L1-B.1.IV is about ensuring only authorized users and processes can access covered defense information in web and cloud services — i.e., basic access controls, session protections, and environment configurations that prevent inadvertent public exposure. For a small business, this translates to: enforce IAM least‑privilege, require authenticated sessions for any resource that stores or processes Controlled Unclassified Information (CUI/CDI), harden web applications and storage, enable logging, and retain proof of configuration.
Actionable checklist: web and cloud configuration items
1) Identity and access management (IAM) — implement least privilege and MFA
Assign users to groups/roles with narrowly scoped permissions (e.g., S3 read-only vs full-admin). Require multi‑factor authentication (MFA) for all web console and privileged access. Example: in AWS, create an IAM policy granting s3:GetObject for a specific S3 prefix and attach to a service role, not a user. In Azure, create role assignments scoped to the resource group rather than subscription. Evidence to collect: IAM policy JSON, role assignments screenshot, MFA enablement logs.
2) Prevent public exposure of cloud storage and services
Block public access at the service level (AWS S3 Block Public Access, Azure Storage public access disabled, GCP uniform bucket-level access). Use signed URLs or pre-signed objects for temporary access. Example AWS CLI commands: enable block public access and set bucket policies to deny non‑TLS or anonymous access. For web apps, configure origin access identity or origin access control on CDNs to prevent direct object listing. Evidence: bucket policy JSON, access block settings, CDN origin configurations.
3) Enforce strong transport and session protections
Require TLS 1.2+ (prefer 1.3) for all web endpoints and APIs; disable TLS 1.0/1.1 and weak ciphers. Configure HSTS, X-Frame-Options, X-XSS-Protection (where applicable), Content Security Policy (CSP), and secure cookie flags (Secure; HttpOnly; SameSite=strict) for web applications. Set reasonable session timeouts (e.g., 15–60 minutes idle) and re-authentication for sensitive operations. Evidence: TLS scan output (e.g., from SSL Labs), web server config snippets (nginx/Apache), and application session config files.
4) Web Application Firewall (WAF), rate limiting, and bot protection
Deploy a WAF (managed or cloud provider) with OWASP rules to block common injection and enumeration attacks; configure rate limits on APIs and login endpoints to reduce brute force risk. Small business example: enable AWS WAF with managed rule groups and a custom rule to block repeated 401s from the same IP, or enable Cloudflare Rate Limiting and bot management in front of a WordPress site. Evidence: WAF rule set snapshots and alerts.
5) Logging, monitoring, and retention
Turn on provider audit logging: AWS CloudTrail, S3 access logs, Azure Activity Logs, and GCP Audit Logs. Forward logs to a central, tamper‑resistant store (S3 bucket with write-only permissions for log writer + lifecycle/retention) and retain per contract requirements (often 90 days or more). Enable web server access logs and application logging with timestamps and user identifiers. Evidence: log configuration screenshots and sample logs demonstrating user access events.
6) Configuration management, patching, and baseline hardening
Apply secure baselines for web servers and container images (CIS Benchmarks where feasible), keep platforms and web frameworks updated, and disable unused services and ports. Automate configuration drift detection with tools like AWS Config, Azure Policy, or managed vulnerability scanners. Evidence: baseline checklist, patch/change tickets, and automated compliance reports.
Small business scenarios and practical examples
Scenario A — Small federal contractor hosting a WordPress marketing site plus an SFTP uploader for proposal documents: place WordPress behind Cloudflare or a managed hosting WAF, disable directory listings, set secure headers, and prevent direct public S3 bucket access by using a pre-signed upload endpoint that PUTs into a restricted bucket. Scenario B — SaaS supplier storing small amounts of CDI in GCP: enable uniform bucket-level access, require service account IAM with least privilege, enable VPC Service Controls if available to limit data exfiltration, and preserve audit logs in a separate project.
Risks of not implementing these controls
Failing to implement these settings increases the risk of accidental public disclosure of CDI, unauthorized access via compromised credentials, undetected data exfiltration, contract noncompliance, and potential loss of DOD contracts or penalties. For a small business, a single misconfigured bucket or weak web authentication can lead to reputational damage and significant remediation costs.
Compliance tips and best practices
Document your configurations as part of your Compliance Framework evidence pack: baseline configurations, change logs, IAM reviews, and logged authentication events. Use provider managed services where possible to reduce configuration errors (managed WAF, managed TLS certs). Conduct periodic tabletop exercises and at least quarterly configuration reviews. Automate evidence collection (export IAM policies, config snapshots, and logs) to speed response to auditor requests.
In summary, meeting FAR 52.204-21 / CMMC 2.0 Level 1 expectations for AC.L1-B.1.IV on web and cloud systems is achievable for small businesses by applying least‑privilege IAM, blocking public storage, enforcing modern TLS and session protections, deploying WAF/rate limiting, enabling robust logging/retention, and maintaining documented baselines. Implement these checklist items, collect the corresponding evidence, and integrate configuration checks into your regular operational cadence to remain compliant and reduce risk.
