If your organization handles federal contract information, FAR 52.204-21 and CMMC 2.0 Level 1 require you to reliably identify who (and what) is interacting with your information systems; IA.L1-B.1.V specifically expects you to identify system users, processes acting on behalf of users, and devices. This post gives ten practical, technical steps and real-world examples to help a small business implement this control as part of a Compliance Framework program.
Why identifying users, processes, and devices is essential
Identification is the foundation of accountability and access control: without unique user IDs, device identities, and mappings of processes-to-users, you cannot enforce least privilege, detect compromised credentials, or demonstrate compliance during an audit. For FAR/CMMC purposes you must show evidence that you can determine who performed an action, whether it was a human or an automated process, and from which device—this supports incident response, forensics, and proves you meet basic safeguarding obligations for federal contract information.
10 practical steps to implement IA.L1-B.1.V
Step-by-step actions
1) Assign unique user identifiers for everyone (no shared logins) and document the policy; 2) Inventory devices and issue device IDs (use device certificates, AD computer objects, or MDM IDs); 3) Register and label service accounts and automation identities separately from human users and enforce naming conventions; 4) Deploy centralized authentication (Azure AD, AD DS, Google Workspace SSO) with MFA for all interactive logins; 5) Implement endpoint agents (EDR/AM) that report device inventory and user sessions to a central console; 6) Log authentication and privilege use centrally (Windows Event IDs 4624/4648, Linux auth logs, cloud identity logs) and retain evidence required for audits; 7) Use NAC or network segmentation to only allow known device IDs onto contractor networks and put unknown devices on guest VLANs; 8) Automate provisioning/deprovisioning from HR (SCIM, AD automation) so identities are created and disabled with hiring/termination events; 9) Map processes acting for users — capture service-to-user associations in your CMDB and log service account activity separately with dedicated credentials and scoped permissions; 10) Regularly review and reconcile (quarterly) user lists, active devices, and service accounts, and record the review as compliance evidence.
Implementation notes specific to a Compliance Framework
Practical implementation must produce auditable evidence. For a Compliance Framework, tie technical controls to policy documents and procedures: link unique ID policy to your access control policy, attach device inventory exports to the Configuration Management procedure, and keep a monthly log of automated provisioning runs. Use concrete tech: enable AD/Azure AD audit logging (SignIns and AuditLogs), configure Linux syslog to forward auth.* to a central SIEM like Splunk/ELK or a cloud SIEM, and ensure retention (at least 90 days for Level 1 evidence unless your contract states otherwise). Use MDM (Microsoft Intune, Jamf, or a lightweight open-source MDM) to enforce device compliance and automatically report enrolled device IDs and OS versions into your asset inventory. For service/process mapping, require all automation to use managed identities or service principals rather than shared static credentials; store those in a vault (Azure Key Vault, HashiCorp Vault) and log vault access events.
Small-business scenarios and real-world examples
Example 1: A 12-person IT subcontractor uses Google Workspace and a mix of Windows laptops. They enabled Google SSO with MFA, deployed a small EDR agent to each laptop reporting the username and device ID to a central console, and used Google Admin reports as evidence of unique user IDs; they added a quarterly spreadsheet export of active users as audit evidence. Example 2: A two-person engineering shop uses Azure AD and Intune—new hires are onboarded through an HR-triggered Power Automate flow that creates the Azure AD account, enrolls the device in Intune, issues a device certificate, and registers it in a CMDB (spreadsheet or Jira). Service accounts for build pipelines are created as Azure Managed Identities and listed in the CMDB with scope and owner. These small-scale automations demonstrate compliance and reduce manual errors.
Compliance tips and best practices
Enforce least privilege and disable local admin for users; require separate accounts for admin tasks and log all privilege elevations. Prohibit shared or generic accounts; where unavoidable (e.g., a lab appliance), document compensating controls and monitor closely. Automate identity lifecycle with HR integration to avoid orphan accounts. Use unique device certificates or hardware identifiers (TPM-backed keys) where possible rather than relying solely on MAC addresses which can be spoofed. Maintain a simple CMDB and exportable evidence artifacts (CSV exports, SIEM alerts, screenshots of enrollment lists) to show auditors. Keep processes simple and repeatable—auditors appreciate consistency and reproducible evidence more than overly complex tooling.
Risks of failing to implement this control
If you cannot identify who or what performed actions on your systems you increase the risk of undetected insider misuse, credential compromise, and lateral movement by attackers. Non-compliance risks include losing federal contracts, failing CMMC verification (blocking future DoD engagements), potential contractual penalties, and reputational harm. Technically, lack of identity and device controls makes incident response much slower and forensics inconclusive—this multiplies breach cost and regulatory exposure.
In summary, meeting IA.L1-B.1.V under FAR 52.204-21 and CMMC 2.0 Level 1 is achievable for small businesses by applying ten straightforward practices: unique user IDs, device inventory and IDs, distinct service accounts, centralized authentication with MFA, endpoint telemetry, centralized logging, network controls, automated lifecycle management, process-to-user mapping, and regular reconciliation. Implement these within your Compliance Framework with clear policies, simple automation, and exportable evidence to reduce risk and demonstrate compliance during audits.
