This post gives a practical implementation plan β with templates and a suggested timeline β to satisfy the FAR 52.204-21 / CMMC 2.0 Level 1 access control practice labeled AC.L1-B.1.III (the access control practice in the Compliance Framework), focusing on real-world steps a small business can take to demonstrate compliance, produce evidence, and reduce risk quickly.
What AC.L1-B.1.III aims to achieve (Compliance Framework context)
At a high level, the AC.L1-B.1.III access control practice requires that organizations limit and control logical access to systems and data relevant to Federal Acquisition Regulation (FAR) covered work, using simple, auditable mechanisms appropriate for Level 1 (basic safeguarding). For a small business, that means: identify accounts with access to contract data, ensure only authorized users can access those resources, put straightforward technical controls in place (password controls, session termination, simple session locking, MFA where feasible), and retain evidence that the controls exist and are operating. Implementation should align to the Compliance Frameworkβs expectations for documented procedures, minimal but verifiable technical controls, and repeatable evidence collection.
Step-by-step practical implementation plan
Phase 1 β Assess and inventory (Days 1β7)
Start with an asset and access inventory: list systems, cloud services, endpoints, and data stores that touch Controlled Unclassified Information (CUI) or contractor-sensitive data. Identify user accounts, privileged accounts, shared accounts, and third-party access. Deliverable: a simple spreadsheet with columns: Asset, Owner, Data Type (CUI/Non-CUI), Access Roles, Authentication Method, and Evidence Location. For a small business example: an engineering firm maintaining contract drawings should list the file server, Microsoft 365 tenant, laptops, and the design application server with who can access each.
Phase 2 β Design policies and mapping (Days 8β14)
Create short, targeted policy statements and a control mapping document (1β2 pages each). Policy items to include: account lifecycle (create, modify, disable), least privilege, acceptable authentication methods, and retention of access logs for a minimal retention period (e.g., 90 days). Map each policy statement to the Compliance Framework practice (AC.L1-B.1.III) and to the evidence you will collect (GPO exports, IAM role assignments, screenshots, access log extracts). Example deliverable: "Access Control SOP v1.0" that defines that new accounts require manager approval and deprovisioning occurs within 24 hours of termination.
Phase 3 β Implement technical controls (Days 15β45)
Implement practical, low-cost technical controls aligned to the inventory and policies. Prioritized tasks for small businesses: enforce unique user accounts (no shared generic logins), enable account lockout thresholds, apply password complexity/length requirements, enable MFA on cloud accounts, restrict local admin privileges, and configure session locks on endpoints. Concrete examples: on Windows Domain GPO set Account lockout threshold = 5 attempts, Reset account lockout counter after = 15 minutes, Account lockout duration = 30 minutes; use Group Policy (Computer Configuration β Policies β Windows Settings β Security Settings β Account Policies). On Linux servers enable pam_faillock or pam_tally2 to deny after 5 failures (e.g., add auth required pam_faillock.so deny=5 unlock_time=1800 to /etc/pam.d/system-auth). For cloud (AWS) require MFA for console access with a condition like "Bool": {"aws:MultiFactorAuthPresent": "true"} in IAM policies. Capture evidence: screenshots of GPO settings, exported IAM role JSON, output of "faillock --user username", and a screenshot of the admin console showing MFA enforced.
Phase 4 β Test, train, and document (Days 46β60)
Run simple validation: attempt a failed login to confirm lockout, perform a sample account creation and deprovision event and capture the approval emails or ticket entries, and request a simulated access review with managers. Train staff with a short one-hour session and distribute the two-page Access SOP and an FAQ. Document all test results and retention locations in a single evidence repository (e.g., a secured SharePoint site or encrypted archive) and maintain a change log. For a small company, a one-page "How we enforce access" handout for non-IT staff helps maintain compliance culture.
Templates and timeline (what to copy/paste right away)
Use these minimal templates and a 60-day timeline as a starting point. Template 1 β Access Control SOP (one line per requirement): "Purpose; Scope; Account Creation β requester, approver, SLA (24 hrs); Account Deprovisioning β trigger, SLA (24 hrs); Password/Lockout β threshold & duration; MFA β required where available; Evidence retention β 90 days." Template 2 β Evidence checklist: "Inventory spreadsheet; GPO export; Cloud IAM screenshot/export; MFA enablement screenshot; Account creation/deactivation ticket sample; Log extract showing lockout event." Suggested timeline (small business baseline): Days 1β7 inventory; Days 8β14 policy write and approvals; Days 15β30 technical rollout; Days 31β45 validate and collect evidence; Days 46β60 training, final audit-readiness packaging. Each milestone should have a named owner and a deliverable location in the evidence repository.
Compliance tips, best practices, and risks of non-implementation
Practical tips: start small and document aggressively; use existing tools (Active Directory, Google Workspace, Okta, Azure AD) to enforce controls rather than custom scripts; automate evidence collection where possible (audit log exports, GPO backups); keep a lightweight change log for every access-related change. Best practices include enforcing least privilege, removing legacy shared accounts quickly, and performing quarterly access reviews. The risks of not implementing these controls are tangible: data leakage of contract deliverables, loss of current or future Federal contracts, reputational damage, and potential audit findings that require remediation and can delay payments. For example, a small subcontractor that failed to remove a terminated engineer's access after contract completion exposed design files externally and lost the prime contract relationship.
In summary, meeting FAR 52.204-21 / CMMC 2.0 Level 1 access control practice AC.L1-B.1.III for a small business is achievable with a focused 60-day plan: inventory assets, build short policies, implement simple technical controls (account uniqueness, lockout thresholds, MFA where possible), test and document evidence, and train staff. Use the provided templates and timeline as the baseline, adapt thresholds to your operational realities, and keep evidence organized to demonstrate compliance during acquisition audits or inspections.
