This post shows how to create a practical access control policy and a usable compliance checklist to meet FAR 52.204-21 and the CMMC 2.0 Level 1 control AC.L1-B.1.II within the Compliance Framework, with actionable steps, technical details, and small-business examples you can implement this week.
Understanding the requirement and objectives
FAR 52.204-21 requires basic safeguarding of contractor information systems, and CMMC 2.0 Level 1 control AC.L1-B.1.II maps to limiting system access to authorized users, devices, and processes. Under the Compliance Framework, the key objectives are to (1) define who is allowed access, (2) ensure access is granted using an enforceable mechanism, (3) apply least privilege, (4) maintain records of access events, and (5) revoke access promptly when no longer needed. Your access control policy must make these objectives auditable, repeatable, and specific to your environment.
What an access control policy must contain
Your policy should be short, prescriptive, and tied to implementation controls. At a minimum include: scope (systems, data types including any CUI), roles and responsibilities (system owner, approvers, IT admin, user), account lifecycle procedures (provisioning, modification, de-provisioning), authentication requirements (password, MFA), session management (timeouts, re-authentication), privileged account controls, acceptable remote access methods, asset inventory link, logging/audit requirements, and periodic review/attestation cadence. For Compliance Framework traceability, include references to the exact clauses: FAR 52.204-21 and AC.L1-B.1.II, and list the evidence you will maintain (access request forms, IAM logs, account disablement tickets).
Technical implementation details (concrete controls)
Translate policy into technical controls you can test. Examples: enforce unique user accounts (no shared logins) and disable local built-in admin accounts; implement password complexity and rotation via Group Policy (Windows: minimum 12 characters, no dictionary words, lockout after 5 failed attempts for 15 minutes) or using a PAM tool for privileged accounts; require MFA for remote access and for any accounts with elevated rights (use TOTP or FIDO2 keys); apply role-based access control (RBAC) in Azure AD / AWS IAM by creating groups with least-privilege policies (avoid using inline policies on users); for Linux systems use sudoers to restrict commands and require separate privileged accounts; centralize logs to a syslog/SIEM (e.g., Splunk, ELK, Azure Monitor, CloudWatch) and retain audit logs for a time period aligned with policy (e.g., 90 days minimum for Level 1). Network controls: segment CUI systems on a VLAN with ACLs, restrict admin ports (RDP/SSH) via jumpbox or bastion host, and enable NAC to enforce device posture checks before granting access.
Small-business real-world example
Consider a 25-person subcontractor handling limited CUI on Microsoft 365 and several Windows and Linux VMs in a cloud provider. Practical steps: create an access control policy document scoped to the M365 tenant and VMs; inventory accounts and map them to roles; use Azure AD to create groups (Finance-CUI-Readers, Engineers-Dev) and assign application roles rather than individual accounts; enable Conditional Access to require MFA for sign-in from outside your corporate IP range; disable local admin on endpoints and manage endpoints via Intune (enforce BitLocker, baseline settings); create a “termination checklist” that includes immediate Azure AD account disablement and removal from all groups; centralize sign-in logs to Azure Monitor and schedule weekly review of failed login spikes. These actions satisfy the policy and provide clear evidence for audits under Compliance Framework requirements.
Practical checklist (implementable tasks)
- Document scope and owner: name the policy owner and affected systems (evidence: signed policy).
- Inventory users and accounts: export AD/Azure AD and cloud users (evidence: inventory CSV).
- Enforce unique accounts and disable shared accounts (evidence: configuration screenshots).
- Apply authentication controls: password rules, MFA enabled for all privileged and remote access accounts (evidence: MFA status report).
- Implement RBAC and least privilege: group-based access in IAM (evidence: IAM policies and group membership report).
- Configure logging and retention: central log stream with 90-day retention (evidence: SIEM retention settings).
- Establish provisioning/de-provisioning workflows: IT ticketing integration, approval flows (evidence: ticket history).
- Segment and restrict admin access: bastion/jump host and ACLs (evidence: network diagrams and ACL rules).
- Conduct periodic review: quarterly access recertification and annual policy review (evidence: recertification records).
- Train users and admins: access control and phishing basics (evidence: training roster and completion certificates).
Compliance tips and best practices: automate what you can—use cloud IAM groups, scripted account provisioning via APIs, and alerting for privilege escalations. Keep the policy short (1–3 pages) and attach procedural checklists for IT staff. Use standard evidence templates (screenshots with timestamps, export CSVs) to make audits fast. Prioritize MFA and unique identities before advanced controls; they yield the largest risk reduction for the least effort. For small teams, adopt managed services (e.g., managed EDR, SaaS IAM) where feasible to reduce operational burden while maintaining compliance traceability under the Compliance Framework.
Risk of not implementing AC.L1-B.1.II and FAR 52.204-21: unauthorized access to contractor systems, exfiltration of sensitive information, contract termination or suspension, financial penalties, and reputational damage. Technically, failing to enforce unique identities and least privilege makes credential theft far more damaging, and poor de-provisioning leaves former employees or contractors with lingering access that can be exploited. From an audit perspective, lacking logs or documented processes will quickly fail a compliance review even if no breach has occurred.
Summary: Build a concise access control policy that maps each section to specific technical controls and evidence items required by the Compliance Framework, FAR 52.204-21, and CMMC AC.L1-B.1.II. Use the checklist above to operationalize the policy: inventory accounts, enforce unique identities and MFA, apply RBAC, centralize logging, and establish provisioning/de-provisioning workflows. For small businesses, focus on high-impact, low-cost controls (MFA, group-based IAM, endpoint management) and document everything—clear documentation and demonstrable evidence are what auditors look for.
