This post provides a compact, actionable workflow for small businesses to verify users and control access to systems handling Federal Contract Information (FCI) so you can satisfy FAR 52.204-21 and the intent of CMMC 2.0 Level 1 Control AC.L1-B.1.III without heavy processes or expensive tooling.
What this control is trying to accomplish
At its core, AC.L1-B.1.III and FAR 52.204-21 expect contractors to ensure that only authorized users, devices, and processes can access information systems that process, store, or transmit FCI. For small organizations that means having a repeatable verification and authorization workflow (who is requesting access, who approved it, and how access is revoked) plus lightweight technical controls (unique user IDs, basic logging, and MFA or equivalent protections).
Implementation overview for a Compliance Framework
1) Define clear, small-business friendly policies
Create a short Access Control Policy (1–2 pages) in your Compliance Framework set that covers: unique user IDs (no shared accounts), approval authority (manager or project lead), minimum authentication (MFA), deprovisioning SLA (e.g., within 24 hours for termination), and log retention (90 days minimum). Make the policy a single reference for the rest of your workflow.
2) Onboarding and verification workflow
Use a simple ticket-based or email-based request with three required fields: requester identity, resource requested, and approving manager. Example workflow: new-hire ticket → HR verifies identity (government ID + email) → manager approves in the ticket → IT provisions account and enables MFA. To automate verification, map this into a single form in your ticketing tool (e.g., Jira Service Desk, Freshservice, or a Google Form) that writes to a spreadsheet or a small CMDB that is part of your Compliance Framework records.
3) Deprovisioning and role changes
Trigger deprovisioning from HR events (termination, resignation) and manager requests. For small teams, require HR or manager to open a "deprovision" ticket that IT completes with a checklist: disable account, revoke cloud tokens, remove from groups, and recover company devices. Technical examples: for Azure AD, run Set-MsolUser -UserPrincipalName jdoe@company.com -BlockCredential $true; for on-prem AD use Disable-ADAccount -Identity "jdoe"; for Linux servers use usermod -L jdoe or passwd -l jdoe. Record completion in the ticket and log the timestamp as evidence for auditors.
Technical controls you can implement cheaply
Small businesses should focus on a few high-impact controls: enforce MFA for all accounts that access FCI systems (Microsoft Authenticator, Google Authenticator, or a low-cost auth solution); use role-based groups in Google Workspace or Azure AD rather than granting per-user privileges; disable local admin rights on endpoints; and enable basic logging. For logs, enable Azure AD Sign-in logs, Google Workspace audit logs, or Windows Security Event logging and forward to a low-cost log aggregator (Cloud logging, Elastic, or even a centralized syslog server). Retain logs for at least 90 days to show access reviews and incident reconstruction capability.
Practical small-business scenarios
Example 1 – Small software firm with 12 employees: Onboarding uses an HR-triggered ticket. Developer access to the source code repo is approved by the engineering lead; access is granted to a repo-specific GitHub team. MFA is enforced via GitHub + SSO (Okta or Azure AD). When someone leaves, HR opens the deprovision ticket; IT disables the Azure AD account (Set-AzureADUser -ObjectId user@contoso.com -AccountEnabled $false) and removes GitHub team membership, then documents completion in the ticket.
Example 2 – Remote sales team with BYOD: Require enrollment in a lightweight MDM (Microsoft Intune or a free-tier MDM) for company email and contract documents. Use conditional access (block unmanaged devices) or require the use of a password manager and company-approved email client. For contractors who use personal devices, issue access only after signing an Acceptable Use agreement and completing a brief verification checklist stored in the Compliance Framework records.
Compliance tips and best practices
Keep evidence: retain tickets, signed approvals, and a small access matrix that maps roles to resources. Do periodic (quarterly or semi-annual) access reviews where managers confirm the list of users who still need access — document with a one-line confirmation email or ticket. Avoid shared accounts; where a service account is necessary, track it in the CMDB and protect credentials in a team vault (Bitwarden, 1Password Business). Minimum viable logging and retention are better than perfect coverage — demonstrate regular review and improvement in your Compliance Framework.
Risks of not implementing a lightweight workflow
Without a repeatable verification and control workflow you open the organization to unauthorized access to FCI, accidental disclosures, ransomware risk due to stale credentials, and failed FAR/CMMC audits. Practically, non-compliance can lead to contract loss, costly remediation, and reputational damage. In many cases breaches or access gaps are discovered only after the fact; having documented provisioning and deprovisioning reduces forensic time and exposure.
Summary: For small businesses, meeting FAR 52.204-21 and CMMC 2.0 Level 1 AC.L1-B.1.III is achievable with a compact Compliance Framework that combines a short access policy, a ticketed verification and approval workflow, basic technical controls (MFA, unique IDs, RBAC), rapid deprovisioning procedures, and minimal logging/retention. Prioritize repeatability and evidence: a documented, consistently-executed process with ticketed approvals and timestamps will satisfy auditors far more effectively than a complex, partially-implemented program.
