This guide walks a small-business IT or security owner through practical, actionable steps to meet FAR 52.204-21 and CMMC 2.0 Level 1 expectations for user and device authentication (IA.L1-B.1.VI) using a combination of MFA and SSO, with concrete configuration details, real-world scenarios, and compliance best practices.
Step-by-step implementation overview
Start by scoping: inventory all user accounts, SaaS apps, and endpoints that handle Federal Contract Information (FCI) or other sensitive data; classify which apps will be behind SSO and which need direct integration; select an identity provider (IdP) and a device management solution; deploy SSO (SAML/OIDC) for cloud apps, then enable and enforce MFA for user authentication, and enroll devices into an MDM/endpoint management solution that supports device authentication or posture checks. Operational steps in order: 1) identify applications and access flows; 2) pick IdP and MDM (examples below); 3) configure SSO with correct metadata (entityID, ACS/Assertion Consumer URL, certificate); 4) enable MFA methods and enforcement rules; 5) enroll corporate and BYOD devices, issue device certificates or enroll with MDM; 6) create conditional access policies tying device compliance to access; 7) test, log, and document the configuration for compliance review.
Choose an Identity Provider (IdP) and SSO protocol
For small businesses, common choices are Microsoft Entra ID (Azure AD), Okta, Google Workspace, or a turnkey IdP like JumpCloud. Pick an IdP that supports SAML 2.0 and OIDC so you can integrate both legacy and modern apps. Technical details to configure: exchange metadata XML (IdP SSO URL, x.509 signing certificate); set the Service Provider's ACS URL and entityID in the IdP; map attributes—NameID often set to userPrincipalName/email, include group or role claims if your apps use them. Important parameters to verify: assertion lifetime (short, e.g., 5–10 minutes), assertion signing/encryption enabled, and clock skew allowances (typically ±5 minutes). Example: when connecting an internal Jira Cloud instance to Azure AD SAML, you will paste Jira’s Assertion Consumer Service URL into Azure, set NameID to user.mail, and upload Azure’s signing certificate to Jira.
Deploy MFA: methods, enforcement, and passwordless options
Enable MFA for all accounts that can access contractor or FCI data. Recommended authentication methods: authenticator apps (TOTP/Push), FIDO2/WebAuthn hardware tokens (YubiKey), and platform-based passwordless (Windows Hello, Apple Touch/Face ID) where supported. Avoid SMS-only as a primary method. Technical enforcement examples: in Azure AD Conditional Access, create a policy targeting 'All Users' and required cloud apps, then set 'Grant Controls' to require multi-factor authentication and require devices be marked compliant; set session controls for sign-in frequency. For third-party IdPs, enforce MFA per application or via global policy. Maintain emergency break-glass accounts secured with hardware tokens stored offline and audited regularly.
Device authentication and endpoint management
Device authentication can be implemented with MDM/endpoint tools (Microsoft Intune, Jamf, Workspace ONE) and device certificates (SCEP/EST or PKCS) for stronger assurance. Enroll devices so they receive a device identity (certificate or managed device object) and apply posture checks such as disk encryption, OS patch level, and presence of MDM agent. Technical approach: enable device certificate issuance during enrollment, configure network NAS to allow certificate-based 802.1X access for managed devices, and set Conditional Access policies that require 'device is compliant' for access to cloud apps. Small business example: use Microsoft Business Premium (Intune + Entra ID) to autopilot-enroll company laptops and issue machine certificates via Intune to gate VPN and Wi‑Fi connections—this enforces that only enrolled, compliant devices can access internal resources.
Real-world small business scenarios and concrete actions
Scenario A — 25-person contractor relying on Microsoft 365: enroll users into Entra ID, enable SSO for critical SaaS (Azure AD apps), enforce MFA for all sign-ins, and use Intune to manage laptops and phones. Actionable checklist: enable security defaults or conditional access, block legacy auth where possible, push company certificates via Intune, configure sign-in risk policies, and document evidence (screenshots, logs). Scenario B — hybrid workforce with mixed personal devices: require device enrollment for access to sensitive apps, publish clear BYOD rules (what is allowed and what data can be accessed), require FIDO2 or authenticator app MFA for remote access, and use endpoint detection logs to correlate suspicious sign-ins. Both scenarios should include periodic user training and test phishing-resistant MFA methods for key personnel.
Compliance tips, monitoring, and best practices
Document every configuration change and map each control back to the Compliance Framework (for auditors: show which apps are behind SSO, MFA policies, device enrollment status, and policy screenshots). Log and retain authentication events—integrate IdP logs into a SIEM or centralized log store (e.g., export Azure AD sign-in logs to Sentinel, or Okta System Log to your SIEM) and keep at least 90 days of logs for small businesses (adjust per contract). Regularly check certificate expirations, metadata refresh (rolling IdP certificates), and test failover authentication paths. Technical checks: verify SAML assertion signatures, monitor for anomalous IPs and token replay, run periodic access reviews, and maintain break-glass admin accounts with hardware-backed MFA stored securely. Risk of omission: without MFA and device authentication, accounts are exposed to credential-stuffing and phishing, devices can bypass protections and exfiltrate FCI, and the organization risks contract loss, breach notification, and regulatory penalties.
In summary, meeting IA.L1-B.1.VI under FAR 52.204-21 and CMMC 2.0 Level 1 is achievable for small businesses by scoping assets, selecting a capable IdP and MDM, configuring SSO (SAML/OIDC) with signed assertions, enabling strong MFA (preferably phishing‑resistant methods), and enforcing device enrollment and compliance through conditional access. Prioritize documented configurations, centralized logging, and regular validation tests—these steps not only support compliance but significantly reduce the real risk of account takeover and data exposure.
