This post gives practical, actionable steps for small businesses following the Compliance Framework to implement multi-factor authentication (MFA) and strong password controls required by FAR 52.204-21 and CMMC 2.0 Level 1 (IA.L1-B.1.VI), including technical configurations, real-world examples, documentation tips, and the risks of not meeting the requirement.
Understanding the requirement (Compliance Framework context)
Within the Compliance Framework practice, the IA.L1-B.1.VI control focuses on using stronger authentication and protecting account credentials to reduce the risk of unauthorized access to Controlled Unclassified Information (CUI) and contractor systems. For small businesses, meeting this control means combining MFA for access pathways (remote access, cloud consoles, VPNs, and privileged accounts) with robust password policies, secure storage of credentials, and evidence of enforcement in the System Security Plan (SSP) and supporting artifacts.
Implementation roadmap
Inventory, policy, and scoping
Start by scoping: inventory all user accounts, administrative accounts, service accounts, remote-access methods (VPN, RDP, Citrix), cloud consoles (Azure, AWS, Google Cloud), SaaS admin consoles, and any local on-prem admin access. Create a short policy that states MFA is required for all interactive logins that access CUI or connect remotely, and that password rules apply to all human accounts. Document exceptions, approval authority, and an account provisioning/deprovisioning process tied to HR or contract changes so offboarding is prompt.
Technical enforcement: multi-factor authentication
Choose an identity provider or MFA solution that fits your stack: Azure AD (P1/P2) or Entra, Okta, Google Workspace, Duo Security, or built-in MFA for vendors. Enforce MFA via conditional access policies (e.g., Azure: require MFA for all sign-ins from untrusted networks or for all administrative roles). Prefer phishing-resistant factors for admins and high-risk users (FIDO2 hardware keys like YubiKey or FIDO security keys). For regular users, use push notification (Duo/Okta), TOTP authenticator apps (Google Authenticator, Authy), or hardware tokens; avoid SMS-only OTP for primary protection. For VPNs and RDP, integrate MFA with your gateway (RADIUS to your IdP or SAML/OAuth connectors) so remote access is blocked unless MFA is validated. Ensure backup/recovery methods are secure (one-time recovery codes stored securely, help-desk processes that require identity proofing). Log MFA events to a SIEM or centralized log store for audit evidence.
Strong password controls (technical specifics)
Implement password policies that align with NIST SP 800-63B and the Compliance Framework: allow long passphrases (recommend minimum 12 characters, encourage up to 64), do not require complex composition rules that force predictable substitutions, but require checks against known-breach lists (HaveIBeenPwned or built-in IdP banned-password lists). Enforce throttling and progressive lockouts (example: 10 failed attempts then 15-minute lockdown or CAPTCHA; block further attempts and require admin reset for repeated lockouts). For systems you manage, store passwords hashed with a modern algorithm (Argon2id or bcrypt with appropriate cost factor) with unique salts and use TLS 1.2+ for transport. Avoid periodic forced rotation unless compromise suspected; instead, require rotation on evidence of compromise. Encourage the use of password managers and publish a company-approved list (e.g., 1Password, Bitwarden) to reduce reuse and weak passwords.
Service accounts, privileged accounts, and recovery
Treat service and privileged accounts differently: avoid embedding plaintext credentials in scripts—use managed identities (Azure Managed Identity, AWS IAM roles) or secure secrets vaults (Azure Key Vault, AWS Secrets Manager, HashiCorp Vault). Require MFA for any interactive privileged login and restrict admin activities to jump hosts with strong session audit. Implement strict onboarding/offboarding for privileged roles, with workflow approvals logged in your identity platform. For recovery, maintain a documented, auditable process for MFA reset that includes identity verification steps and temporary administrative approval with time-limited access.
Real-world small business examples and scenarios
Example 1: A 25-person defense subcontractor uses Microsoft 365 and Azure AD. They enable Azure Conditional Access to require MFA for all users accessing Microsoft 365 from outside the corporate network, enroll all admins with YubiKey FIDO2 tokens, and use Azure AD password protection to block common passwords and breached credentials. Example 2: A small engineering firm running an on-prem VPN integrates Duo Security with their ASA firewall via RADIUS, requires push-based MFA for remote workers, enforces a 14-character minimum password policy via Active Directory Group Policy, and stores service account secrets in HashiCorp Vault with short-lived credentials for CI/CD pipelines.
Operational controls, monitoring, and audit evidence
Operationalize compliance: collect logs showing MFA enrollment and successful/failed MFA events, retain configuration screenshots or export of Conditional Access/IdP policies, and include the MFA policy and password policy in your SSP and Policies and Procedures repository. Maintain a POA&M for exceptions and remediation timelines. Test enforcement quarterly (simulate user onboarding/offboarding, run a brute-force simulation on a test account, verify banned-password lists working) and train users on MFA workflows and recovery. For audits, provide screenshots of MFA policy, logs of recent successful MFA challenges, and records of privileged account approvals.
Risks of not implementing MFA and strong password controls
Failing to implement these controls increases the risk of credential compromise, unauthorized access to CUI, ransomware or data exfiltration, and loss of contract eligibility under FAR and CMMC requirements. For small businesses, a single compromised admin account can lead to significant intellectual property loss, contract termination, civil penalties, and reputational damage that is often unrecoverable for SMBs relying on government contracts.
Summary: To satisfy the Compliance Framework IA.L1-B.1.VI requirement, combine an enforceable MFA rollout across all remote and privileged access with modern password controls (long passphrases, breached-password checks, secure storage, and vaulting for service credentials). Document your policies, collect configuration and log evidence, train users, and include remediation plans in your SSP/POA&M—these steps will materially reduce your risk and demonstrate compliance to FAR 52.204-21 and CMMC 2.0 Level 1 assessors.
