← Custodia
Practice 6 of 15·FAR 52.204-21(b)(1)(vi)·IAIdentification & Authentication

IA.L1-b.1.vi

Authenticate identities (MFA, passwords)

Before anyone or anything reaches FCI, prove who they are. Passwords on every account, MFA on email and remote access at a minimum. The bar isn't NIST-grade cryptography — it's "no anonymous logins and no MFA-less email."

Official text

Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

FAR 52.204-21(b)(1)(vi), CMMC Level 1 v2.13 Assessment Guide

What evidence satisfies this

Any one of these, by itself, won't satisfy the practice — but showing a few of them together is what an assessor or a prime contractor expects to see:

  • Tenant-wide MFA enforcement screenshot from M365 / Google admin.
  • Password policy: minimum length, lockout after failed attempts, no shared passwords.
  • Screen-lock policy on laptops (e.g. 15 minutes idle).
  • MFA enabled on remote-access (VPN, Microsoft Remote Desktop, AnyDesk, TeamViewer).
  • MFA on every admin account — and admins use hardware keys or authenticator apps, not SMS where possible.

Common ways small shops fail this

  • MFA enabled only for admins, not for regular users.
  • Shared password kept in a sticky note on the trailer PC.
  • Old SMS-only MFA on the owner's account that survives a SIM-swap.
  • Service accounts with no MFA because "it's automated."
  • Default Microsoft Security Defaults disabled and never replaced with a Conditional Access policy.

How to fix it in a weekend

  1. 1Turn on Security Defaults (M365) or 2-Step Verification enforcement (Workspace) tenant-wide.
  2. 2Move every user to authenticator-app MFA. Reserve SMS as the fallback only.
  3. 3Set a password policy: 14+ characters, no shared accounts.
  4. 4Set the laptop screen-lock to 15 minutes idle, mandatory.
  5. 5Audit remote-access tools (VPN, RDP, AnyDesk, TeamViewer) — every entry point gets MFA.

FAQ

Is MFA required at CMMC Level 1?+

MFA is not explicitly required by name in FAR 52.204-21 — Level 2 / NIST 800-171 is where MFA shows up as an explicit control. But (b)(1)(vi) requires you to authenticate identities, and assessors and primes universally treat MFA on email and remote access as the practical floor. Skipping it is asking to fail this practice.

Related references

Clause

FAR 52.204-21Basic Safeguarding of Covered Contractor Information Systems

Glossary

FAR 52.204-21

Doing all 15 yourself? Use the checklist.

Custodia's free CMMC Level 1 checklist walks the same 15 requirements with a self-assessment workflow, generates your SSP and affirmation memo, and posts your SPRS score for you.

Open the checklist →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)