This guide shows practical steps a small business can take to deploy multifactor authentication (MFA) and device authentication in order to meet FAR 52.204-21 and the intent of CMMC 2.0 Level 1 control AC.L1-B.1.I, with hands-on implementation options, real-world examples, and evidence you can use for compliance documentation.
What this requirement means in practice
At an operational level, the control requires stronger assurance that users accessing contractor information systems are who they claim to be and that the devices they use are known and meet basic security expectations. For small businesses this typically translates to: (1) enabling MFA for all accounts that access covered systems (email, cloud consoles, VPNs, SaaS apps), and (2) establishing device authentication or registration so you can enforce access only from managed or compliant endpoints (using MDM, certificates, or conditional access).
Practical implementation plan (high level)
Start with scoping and inventory, then select and pilot MFA methods, add device authentication, integrate with access control, and document everything in your System Security Plan (SSP). A typical phased rollout: 1) identify users, privileged accounts, and systems that handle CUI; 2) enable MFA for admin and remote access first; 3) require device registration for cloud and VPN access; 4) expand to all staff and collect compliance evidence (logs, configuration screenshots, policies).
Step 1 — Inventory and scoping
Inventory accounts (admins, service accounts, VPN, email), entry points (Office 365, G Suite, AWS, VPN, RDP), and devices (laptops, tablets, phones). Tag systems that process Covered Contractor Information Systems (CCIS) or controlled unclassified information (CUI). For a 25–75 person small business: maintain a simple spreadsheet or CMDB with username, role, access type, MFA status, device enrollment status, and evidence links.
Step 2 — Choosing MFA and deployment patterns
Prefer phishing-resistant factors where possible: FIDO2/WebAuthn (YubiKey, built-in platform authenticators), certificate-based device authentication (EAP-TLS), or at minimum time-based one-time passwords (TOTP) from authenticator apps. Avoid SMS-based OTP as a primary factor. Example: for an Azure AD tenant, enable Conditional Access requiring MFA for all external sign-ins and privileged roles; require passwordless sign-in with FIDO2 for administrators and use TOTP for general staff as a transitional measure.
Step 3 — Device authentication approaches
Device authentication options include MDM-enforced device registration (Intune, Jamf, Workspace ONE), certificate-based authentication (machine/user X.509 certs via AD CS + SCEP), and conditional access signals (device compliance, OS version, disk encryption). For a cloud-first small business: use Azure AD Join + Intune to automatically enroll Windows 10/11 devices and issue device certificates; require device compliance in Conditional Access before granting access to Microsoft 365 or custom SaaS. For mixed OS environments, use Jamf for macOS enrollment and certificate delivery.
Step 4 — VPN, SSH, and on-prem specifics
If you expose a VPN or RDP, integrate MFA and device checks at the gateway: deploy a modern VPN that supports RADIUS + EAP-TLS for certificate-based device authentication, and front it with an MFA provider (Okta, Azure MFA, Duo). For SSH and Git servers, disable password auth and require SSH keys or certificate-based SSH (short-lived certs via Vault or CA). Example: a 40-person company used Cisco AnyConnect with ISE + AD CS to require machine certs and Duo MFA for user authentication, reducing stolen password risks.
Logging, evidence, and compliance documentation
Collect and retain artifacts for your SSP and for FAR/CMMC evidence: screenshots of Conditional Access rules, MFA enrollment reports, MDM enrollment lists, certificate issuance logs, VPN authentication logs showing EAP-TLS, and policy documents. Configure Azure AD sign-in logs, Syslog exports, or SIEM ingest (Splunk/Elastic) to retain authentication events for the required retention period. Create a POA&M entry for any gaps and document mitigation timelines.
Compliance tips, best practices, and organizational considerations
Prioritize privileged and remote access first, then expand to all users. Use role-based policies: require passwordless/FIDO2 for admins, MFA plus device compliance for contractors and staff. Build recovery and break-glass procedures: retain emergency access methods stored in a secure vault (hardware keys in a safe, recovery codes encrypted). Train users on phishing and token handling, and maintain a lifecycle plan for certificates/tokens (expiration, rotation). Keep backups of recovery tokens and document enrollment workflows to support audits.
Risks of not implementing MFA and device authentication
Without MFA and device checks you face account takeover, lateral movement, exfiltration of CUI, loss of contracts, and regulatory penalties. For small businesses the typical incident pathway is credential theft from phishing followed by access to cloud email and intellectual property; implementing MFA and device authentication dramatically reduces this risk and supports your ability to respond and show due diligence to contracting officers.
In summary, meeting FAR 52.204-21 and satisfying the intent of CMMC 2.0 Level 1 control AC.L1-B.1.I is achievable for small businesses by scoping assets, enabling phishing-resistant MFA where possible, registering and enforcing device compliance with MDM or certificates, integrating controls into VPN and SSH, and collecting clear evidence for your SSP and POA&M; prioritize privileged accounts, document every step, and use phased rollouts to minimize user disruption while maximizing security.
