Limiting system access to authorized users, processes, and devices is a foundational requirement under FAR 52.204-21 and CMMC 2.0 Level 1 (Control AC.L1-B.1.I); this post walks you through a practical gap assessment and concrete remediation steps tailored to small businesses working to meet Compliance Framework obligations.
Understanding the requirement and objective
At its core AC.L1-B.1.I requires you to prevent unauthorized access to systems that store, process, or transmit Controlled Unclassified Information (CUI) or contractor-sensitive information; this means inventorying who and what can access systems, ensuring only authorized identities and processes can gain entry, and documenting the evidence that access is appropriately limited. The key objectives are: identify access paths, enforce least privilege, maintain records of authorization and reviews, and provide evidence of control during audits.
Step-by-step gap assessment approach
Start with a scope statement: identify all systems and data stores that could contain CUI or impact contract obligations (file shares, email, cloud storage, VPN, SaaS apps). Next, perform an access inventory and evidence collection: list accounts, group memberships, service accounts, privileged roles, authentication methods (password-only, SSO, MFA), and device types permitted. Collect artifacts such as Active Directory group membership exports, IAM reports from cloud consoles, access-request tickets, onboarding/offboarding logs, and recent access review records.
Practical inventory and discovery techniques
Use a mix of automated queries and manual checks: For an on-prem Windows AD environment, run PowerShell to find inactive or privileged accounts, e.g. Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 90 and export group membership with Get-ADGroupMember -Identity "Domain Admins" -Recursive. For Linux systems, list non-system users with getent passwd | awk -F: '$3 >= 1000 {print $1}' and check last login with lastlog -b 90. In AWS, download an IAM credential report and check for unused keys and console access; in Azure, use Graph/PowerShell to enumerate Conditional Access policies and privileged role assignments.
Actionable remediation checklist
- Define scope and owner: assign a compliance owner responsible for access control evidence and quarterly reviews.
- Eliminate stale and shared accounts: disable accounts unused for 90 days and replace shared accounts with unique identities.
- Enforce least privilege: implement role-based access control (RBAC) and remove unnecessary group memberships; for AD, move users into role-specific groups and use group-based policy.
- Harden privileged access: restrict admin accounts to jump hosts, require dedicated admin workstations, and remove local admin rights from standard users—implement Microsoft LAPS for local admin password management where relevant.
- Manage service accounts: convert long-lived credentials to managed identities (Azure AD) or IAM roles (AWS) and rotate any remaining service account credentials regularly.
- Document onboarding/offboarding: link HR events to account provisioning/deprovisioning workflows and retain ticket evidence for reviewers.
- Implement and log authentication controls: require strong passwords, enable MFA for cloud and remote access (even if not strictly required at Level 1), and retain auth logs to demonstrate enforcement.
- Schedule regular access reviews: perform and record quarterly reviews of privileged roles and group memberships; maintain signed reviewer attestations.
Technical implementation examples for a small business
Example 1: A 25-person engineering firm with AD and Office 365—create AD groups by role (Engineering-Read, Engineering-Write), map them to SharePoint and file share ACLs, disable legacy NTLM where possible, enable Azure AD Connect and Conditional Access requiring MFA for external access. Example 2: A cloud-first 10-person contractor using AWS—disable root API keys, create IAM groups for Roles, attach least-privilege policies, enforce MFA for console access, and use AWS IAM Access Analyzer and Credential Reports as evidence during assessments.
Operational controls, evidence, and best practices
Policies are evidence: maintain an Access Control Policy that defines account lifecycle, approval process, and review cadence. Keep supporting artifacts: access request tickets, change approvals, automated reports (AD exports, IAM reports), and review attestation emails. Best practices include time-bound access (temporary elevation via Just-In-Time access), break-glass process with logging, automation of user provisioning/deprovisioning via SSO/SCIM, and retaining logs for at least 12 months to support audits.
Risks of non-implementation
Failing to limit system access can lead to unauthorized data exposure, lateral movement by attackers, and exfiltration of CUI. For contractors this raises the risk of contract breaches, removal from procurement opportunities, penalties under FAR, and severe reputational harm. Technically, unmanaged service accounts and overly broad group memberships are common vectors for ransomware and supply-chain compromise.
In summary, meeting AC.L1-B.1.I is a pragmatic combination of inventory, least-privilege enforcement, documented processes, and monitored authentication controls: scope systems, discover users and devices, remediate stale or shared accounts, adopt role-based access, and keep evidence of periodic reviews. For small businesses, focus on automating discovery where possible, applying simple RBAC patterns, and keeping clear audit trails—those steps will get you across the finish line for FAR 52.204-21 and CMMC 2.0 Level 1 compliance.
