This implementation guide explains how small businesses and contractors can use VPNs, firewalls, and multi-factor authentication (MFA) to limit and control connections to external information systems in order to satisfy FAR 52.204-21 requirements and the CMMC 2.0 Level 1 control AC.L1-B.1.III.
Understanding what the control requires
AC.L1-B.1.III and FAR 52.204-21 emphasize that connections from a contractor’s internal information systems to external information systems (including cloud services, contractor/partner systems, and third-party admin consoles) must be limited to authorized connections only, with protections that reduce unauthorized access and data leakage. For a small business, that means you must document and enforce who, what, where, and how external connections are allowed — and then implement technical controls (VPN, firewall, MFA) to enforce that policy.
Practical implementation strategy (step-by-step)
Start with an inventory and authorization process: identify all external systems and the business justification for each connection (remote management, vendor SaaS, contractor access). Create an authorization register that lists allowed external endpoints (FQDNs/IPs), service ports, users or groups allowed to connect, the protocol used, and the approval owner. This register will be your baseline for implementing firewall rules, VPN access policies, and MFA enrollment.
Configuring firewalls and segmentation
Implement allow-listing (default deny) on perimeter and host-based firewalls. For perimeter firewalls, create egress rules that only permit outbound connections to approved IP ranges and FQDNs on specific ports (e.g., TCP 443 to approved SaaS IPs). Use network segmentation or VLANs to separate systems that handle Controlled Unclassified Information (CUI) or contract data from general-purpose workstations. Example UFW rule for a Linux gateway allowing only approved outbound HTTPS to a partner IP:
ufw default deny outgoing
ufw allow out to 203.0.113.45 port 443 proto tcp
ufw enable
For deeper control, use firewall application-layer filtering (NGFW) or proxying to inspect destinations by hostname and TLS SNI, and block outbound DNS resolution except to internal resolvers to prevent DNS tunneling.
Using VPNs to restrict and audit remote connections
Use a corporate VPN to channel remote user sessions when they require access to sensitive internal resources or to connect to approved external management systems. Prefer modern VPNs (WireGuard, IKEv2, or OpenVPN using strong ciphers) and enforce certificate-based authentication or integration with your identity provider. Disable split-tunneling for users accessing CUI — this ensures traffic to internal subnets and approved external services traverses the corporate perimeter and is subject to monitoring and DLP.
Example WireGuard policy snippet (server-side AllowedIPs to limit routes):
[Peer]
PublicKey =
AllowedIPs = 10.0.0.10/32, 203.0.113.45/32 # internal RFC1918 address + approved external IP
</code></pre>
Combine VPN policies with role-based access: issue VPN profiles only to users who have approved justifications and require periodic reauthorization in your register.
Enforcing MFA and identity controls
MFA is a mandatory layer to prevent credential theft from granting external connections. Enforce MFA for VPN logins, cloud provider consoles, and any privileged remote-access tooling. Use phishing-resistant methods where feasible (FIDO2/WebAuthn, hardware tokens, or certificate + device posture). Avoid SMS OTP as a primary MFA mechanism for privileged connections. For small businesses without a full IdP, use cloud-based identity providers (Azure AD, Okta) with SAML/RADIUS integration into VPN appliances.
Monitoring, logging, and evidence for compliance
Log VPN connection events, firewall accept/deny events, and MFA success/failure events centrally. Retain logs for your contractually required period and protect them against tampering (write-once storage or SIEM). Implement periodic reviews: quarterly review of the authorization register, monthly firewall rule audits, and at least annual penetration testing or configuration assessments for the VPN and perimeter firewall. These artifacts — the register, approved rule set, logs, and review records — form the evidence package for FAR/CMMC audits.
Real-world examples and small business scenarios
Scenario 1: A 20-person engineering firm needs vendor-provisioned SCADA monitoring. Solution: add the vendor’s IPs to the permit list on the perimeter firewall, create a separate DMZ VLAN, require vendor to connect only over a site-to-site VPN with certificate authentication, and require the vendor to use MFA for their management console. Scenario 2: Remote developers requiring access to a test environment — provide VPN access with device posture checks, no split-tunnel, and time-bound access tokens tied to a work order in the authorization register.
Risks and compliance consequences of non-implementation
Failing to limit external connections exposes your organization to data exfiltration, lateral movement by threat actors, and supply-chain compromise. From a compliance perspective, inadequate controls can lead to audit findings, loss of contracts, corrective action plans, financial penalties, and reputational harm. Technically, allowing unmanaged outbound channels or unauthenticated remote access can create high-probability paths for ransomware, credential harvesting, and firmware-level compromise.
Summary: To meet FAR 52.204-21 and CMMC 2.0 AC.L1-B.1.III for small businesses, combine an inventory-driven authorization process with strict firewall allow-lists, segmented network design, VPNs configured without split-tunneling and using certificate/MFA authentication, and centralized logging with periodic review; document everything to build a defensible compliance posture and reduce the risk of unauthorized external connections.
