← Custodia
Practice 1 of 15·FAR 52.204-21(b)(1)(i)·ACAccess Control

AC.L1-b.1.i

Limit access to authorized users

Every system that touches Federal Contract Information must restrict access to people you've authorized. No anonymous logins, no shared "admin" accounts, no public file shares with FCI in them. Every user who can reach FCI has a named, individually identifiable account.

Official text

Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

FAR 52.204-21(b)(1)(i), CMMC Level 1 v2.13 Assessment Guide

What evidence satisfies this

Any one of these, by itself, won't satisfy the practice — but showing a few of them together is what an assessor or a prime contractor expects to see:

  • A user list / roster naming every person with access to the FCI system, with their role.
  • Microsoft 365 / Google Workspace admin console showing per-user accounts (no shared mailboxes for FCI).
  • A screenshot of folder / SharePoint / Drive permissions showing only named users can read the FCI folder.
  • A list of devices (laptops, the trailer PC, the shop PC) that can access FCI, tied to specific users.
  • An offboarding checklist that disables accounts when someone leaves.

Common ways small shops fail this

  • Single shared "admin@" or "office@" login used by everyone in the company.
  • Personal Gmail / iCloud / Dropbox used to receive POs and drawings from a prime.
  • Former employees still active in M365 / Workspace months after leaving.
  • Subcontractors logging in with the owner's password instead of their own account.
  • FCI folder shared as "anyone with the link" instead of named users.

How to fix it in a weekend

  1. 1Create a named account for every person who needs to touch FCI. Use the company's M365 / Workspace tenant, not personal accounts.
  2. 2Delete or disable any shared "admin@" / "office@" login that has access to FCI.
  3. 3Audit your file storage (SharePoint / OneDrive / Drive / network share) and replace "anyone with the link" with named-user permissions on every FCI folder.
  4. 4Write a one-page "who can access FCI" list. Names + role + system. This is your scoping artifact.
  5. 5Put an offboarding line in your HR / contractor offboarding: disable the account same day, transfer files to a named owner.

FAQ

Do my 1099 contractors count as "authorized users"?+

Yes, if they need to see FCI to do their job, they are authorized users — and they need named accounts under your tenant, not their personal email. The 1099 vs W-2 distinction is irrelevant to FAR 52.204-21; what matters is who has access to FCI on your systems.

Can I keep a shared "office@" inbox if FCI doesn't go to it?+

Yes. The rule applies to systems that process, store, or transmit FCI. If "office@" only receives marketing, vendor pitches, and general inquiries, it's out of scope. The moment a prime sends a PO to it, it's in scope.

Related references

Clause

FAR 52.204-21Basic Safeguarding of Covered Contractor Information Systems

Glossary

Federal Contract Information

Glossary

FAR 52.204-21

Glossary

CMMC Level 1

Doing all 15 yourself? Use the checklist.

Custodia's free CMMC Level 1 checklist walks the same 15 requirements with a self-assessment workflow, generates your SSP and affirmation memo, and posts your SPRS score for you.

Open the checklist →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)