This guide gives small businesses a practical, step-by-step approach to identify, map, and secure internal and external data flows to meet FAR 52.204-21 and CMMC 2.0 Level 1 expectations (including control SC.L1-B.1.X), focusing on low-cost, high-impact controls and clear evidence you can present during assessments.
Why mapping data flows matters for FAR 52.204-21 and CMMC 2.0 Level 1
At Level 1 (basic cyber hygiene) the objective is to protect Federal Contract Information (FCI) and ensure you understand where data moves so you can apply basic safeguards. A data flow map is the foundational artifact: it shows where FCI enters, where it travels (internal networks, cloud services, partner/third-party vendors), and where it leaves your boundaries. Without that map you cannot demonstrate scope, apply consistent controls (encryption, access limits), or gather objective evidence for compliance.
Step-by-step implementation guide
1) Define scope, actors, and data inventory
Start by listing systems that process, store, or transmit FCI: email, file shares, CRM, invoicing, contractor portals, cloud drives (Google Workspace, Microsoft 365), and any vendor integrations (payroll, accounting). Create a table (CSV) with columns: asset name, owner, data type (e.g., FCI), location (IP ranges, cloud tenant), who has access, and last patch date. For small businesses, a spreadsheet or simple CMDB is sufficient. Tag each asset as "in-scope" or "out-of-scope" and justify exclusions (e.g., completely air-gapped test lab).
2) Create data flow diagrams (DFDs) and a flow catalog
Produce at least two levels of DFDs: high-level (external partners, cloud providers, customer networks) and component-level (internal subnets, server roles). For each flow record: source, destination, protocol/port, transport security (TLS version, VPN), frequency (real-time, batch), and business purpose. Example entry: "Invoice PDF -> Accounting SFTP server | Source: Sales laptop (192.168.10.0/24) | Destination: Managed SFTP (cloud) | Protocol: SFTP (TCP 22) | TLS/SSH session, keys rotated every 180 days." This catalog is your primary compliance artifact for SC.L1-B.1.X.
3) Secure external flows with practical controls
External flows (customers, contracting officers, subcontractors, SaaS providers) require strong transport protections and vendor controls. Require TLS 1.2+ with server certificate validation for web services and APIs, use SFTP or managed file transfer for file exchanges, and avoid unencrypted email for FCI. For SaaS, obtain vendor security posture (SOC 2 or equivalent) and document the shared-responsibility model. Enforce least-privilege on third-party accounts and use scoped API keys or OAuth with short token lifetimes. Where possible, place a reverse proxy/WAF for public-facing services and restrict inbound traffic with allowlists by IP and port.
4) Secure internal flows: segmentation, host controls, and least privilege
Implement simple network segmentation: separate user workstations (VLAN A) from servers processing FCI (VLAN B) and isolate production systems from developer/test environments. Apply host-based controls (EDR/AV, disk encryption such as BitLocker or FileVault, up-to-date OS patches) and enforce MFA for remote access (VPN or zero-trust bastion). Use firewall rules to restrict east-west traffic—example: allow only HTTPS (TCP 443) from workstations to the FCI web portal and SSH only from a jump host with strict logging. For cloud deployments, use security groups to mimic these rules and enable native encryption at rest (AES-256) and in transit.
5) Logging, monitoring, and evidence collection
Maintain logs that demonstrate you control and monitor flows: firewall/IPS logs, VPN session logs, SFTP transfer logs, cloud access logs (CloudTrail/Workspace/GSuite audit logs), and endpoint security alerts. Configure time-synchronized syslog to a central collector or lightweight SIEM (open-source/managed) and retain logs for a period aligned with contract expectations (a common baseline is 90 days for Level 1). Capture screenshots of DFDs, inventory spreadsheets, ACLs, and vendor contracts—these are inspection artifacts for FAR 52.204-21 and CMMC assessments.
Real-world small-business scenarios and concrete examples
Scenario A: A 20-person engineering subcontractor uses Google Workspace and an on-prem file server for deliverables. Implementation: map flows from engineer laptops -> Google Drive (HTTPS, OAuth) and -> on-prem NAS (SMB). Enforce endpoint encryption, apply conditional access to Google Workspace requiring MFA, restrict NAS SMB to engineering VLAN, and route outbound traffic through a corporate proxy inspecting TLS (where allowed). Keep a CSV showing user access and sample SFTP logs for file exchanges with prime contractor.
Scenario B: A small IT shop exchanges design files with a prime contractor by email. Fix: stop using unencrypted email for design docs—adopt an SFTP endpoint or secure SharePoint link with expiration. Document the change in the flow catalog and add firewall rules that only allow the SFTP host to accept connections from the prime contractor's IP range. Retain transfer receipts and show that keys or credentials are rotated on schedule.
Risks of not implementing proper mapping and controls
Failing to map and secure data flows leads to undetected exfiltration, misapplied controls (e.g., encrypting irrelevant systems while leaving FCI exposed), and inability to show compliance evidence—this risks contract termination, loss of eligibility for future government work, potential financial penalties, and reputational harm. Operationally, unsegmented networks increase lateral movement risk if a workstation is compromised, turning a single-phish event into a major breach.
Compliance tips and best practices
Keep artifacts simple and repeatable: a living spreadsheet, diagram exports (PNG/PDF), and a short control matrix linking each flow to the applied control (e.g., "Flow 12 -> TLS 1.2+, MFA, ACL"). Schedule quarterly reviews, automate log collection where possible, and run tabletop exercises to validate response paths. Use low-cost managed services for logging and patch management if in-house expertise is limited. Finally, label evidence clearly for assessors: "DFD_v2_2026-03.png", "FlowCatalog_2026-03.csv", "FirewallRules_ACME_2026-03.txt".
Summary: To satisfy FAR 52.204-21 and CMMC 2.0 Level 1 (SC.L1-B.1.X), small businesses should produce a scoped data flow map, apply transport and access controls to external flows, segment and harden internal flows, and keep clear logs and artifacts—each step is achievable with modest effort and delivers strong protection for FCI while providing assessors the evidence they expect.
