This post gives a practical, step-by-step implementation plan for FAR 52.204-21 and CMMC 2.0 Level 1 control AC.L1-B.1.I — limiting system access to authorized users, processes acting on behalf of users, and authorized devices — with concrete technical examples and small-business scenarios to help you meet Compliance Framework requirements.
Requirement and objectives
AC.L1-B.1.I requires that systems only be accessible by authorized users, processes (including services and scripts acting on behalf of users), and devices (including other systems). The Compliance Framework objective is to prevent unauthorized access to Controlled Unclassified Information (CUI) and other sensitive contractor information by enforcing authentication, authorization, and endpoint trust before granting access. Your implementation must cover policy, account lifecycle, device controls, and monitoring so auditors and assessors can verify you have effective access controls.
Step-by-step implementation
1) Inventory, policy, and role definitions
Start by inventorying systems that process or store CUI and map user roles and device types. Create an "Access Control Policy" that defines authorized user categories, approved devices (corporate-managed, BYOD rules), and allowed automated processes (service accounts, CI/CD runners). Require documented justification and approvals for access. For Compliance Framework evidence, capture a table of systems, the roles that need access, and the business case/approval trail for each access grant.
2) Account provisioning, least privilege, and deprovisioning
Implement a controlled provisioning workflow: request → approval → creation → verification → periodic recertification. Use role-based access control (RBAC) to assign minimal privileges necessary. Technical examples: in Active Directory/Azure AD, create groups for each role and assign permissions to the group rather than individuals; PowerShell sample to add user to group: Add-ADGroupMember -Identity "CUI-Users" -Members "alice". For Linux servers, create sudo groups (e.g., /etc/sudoers.d/cui-admins) and avoid adding users to wheel/root. Automate deprovisioning by integrating HR offboarding with your IAM (e.g., disable account immediately on termination, expire passwords with chage -E 0 username on Linux or Set-ADUser -Identity user -Enabled $false in AD). Maintain a log of provisioning/deprovisioning actions for audits.
3) Authenticate and verify devices and processes
Require multi-factor authentication (MFA) for any interactive access to CUI systems and enforce device compliance checks for remote access. For cloud environments, use Conditional Access/Conditional Identity policies (Azure AD Conditional Access: Require MFA and device compliance for assignments targeting "CUI apps"). For endpoints, deploy an MDM (e.g., Intune, Jamf, Google Endpoint Management) to ensure devices meet baseline security (disk encryption, patch level, PIN). For non-interactive processes, use scoped service accounts or token-based credentials with restricted permissions and short lifetimes (e.g., use short-lived OAuth tokens or vaulted secrets via HashiCorp Vault to avoid long-lived keys). For SSH-based access to Linux, disable password logins (PasswordAuthentication no in /etc/ssh/sshd_config) and restrict keys using AuthorizedPrincipalsCommand or forced-command in authorized_keys to limit what a key can do.
4) Network- and device-level enforcement
Enforce access restrictions at the network layer with segmentation and network access control (NAC). Place CUI systems on segmented VLANs or subnets and restrict access with ACLs and firewall rules so only authorized hosts and services can reach them. Implement host-based controls such as Windows Firewall rules or iptables/nftables to allow only required ports and source IPs. For remote access, use a hardened bastion host or VPN with device posture checks rather than exposing systems directly. Example: configure your VPN to require device compliance from MDM and MFA before assigning a session token that allows access to the CUI subnet.
5) Monitoring, logging, and periodic verification
Enable comprehensive logging to demonstrate access was authorized: authentication logs, access control list changes, service-account usage, and device compliance events. Use central log collection (e.g., Sysmon + ELK/Splunk, CloudTrail, Azure Monitor) and configure alerts for anomalous behavior (failed logins, new service-account usage, device non-compliance). Schedule quarterly access reviews where managers recertify who should retain access and review service accounts and device lists. Maintain a documented checklist for auditors showing evidence of reviews and corrective actions taken.
Real-world small-business scenarios
Example A — Small defense contractor (15 employees) using Microsoft 365 and two Linux servers: Enroll all corporate laptops in Intune, require BitLocker and a PIN, enable Azure AD Conditional Access to enforce MFA and Intune compliance for Microsoft apps and SSH access via a Windows-based bastion that authenticates to Linux using short-lived certificates from an internal CA. Use AD groups for role assignment and an offboarding automation script that disables AD accounts and removes group membership. Example B — Small software shop hosting code and CI/CD: restrict the CI runner's service account so it can only access repositories needed for builds, store runner tokens in Vault with TTLs, and use artifact repositories with fine-grained permissions; require developers to use MFA-enabled SSO for repository access and enforce branch-level protections to prevent unauthorized merges.
Risks, compliance tips, and best practices
Not implementing AC.L1-B.1.I increases risks: unauthorized disclosures of CUI, account compromise leading to lateral movement, contract termination, and regulatory penalties. Best practices: enforce least privilege, require MFA and device attestation for CUI access, automate provisioning/deprovisioning, rotate and avoid long-lived credentials, and maintain robust logging. Keep evidence organized: access policies, group membership snapshots, provisioning tickets, MDM compliance reports, and log extracts. For small businesses, leverage managed services (Azure AD, Intune, cloud IAM) to reduce operational burden while retaining configurability and auditability required by the Compliance Framework.
In summary, achieving compliance with FAR 52.204-21 / CMMC 2.0 AC.L1-B.1.I is a practical combination of policy, disciplined account lifecycle management, device trust enforcement, network segmentation, and monitoring. Start with an inventory and clear access policies, enforce them with RBAC, MFA, MDM/NAC, and vaulted credentials, and produce regular evidence through logs and access reviews — these steps will both reduce risk and produce the documentation auditors expect.
