This post gives a practical, step-by-step 7-step checklist you can implement under the Compliance Framework to reliably identify information system users, processes acting on their behalf (service accounts, automated agents, OAuth apps), and devices — satisfying FAR 52.204-21 and CMMC 2.0 Level 1 control IA.L1-B.1.V while remaining achievable for small businesses.
7-step Compliance Checklist
Step 1 — Establish a single authoritative identity source and export an initial user inventory
Create or designate an authoritative identity store (Active Directory, Azure AD, Google Workspace, or an IAM service) and export a current user list with attributes (username, email, account type, creation date, last sign-in, last password change, status). For on-prem AD run PowerShell: Get-ADUser -Filter * -Properties mail,Enabled,PasswordLastSet | Export-Csv Users.csv. For Azure AD use the AzureAD module or portal to export sign-in activity. This gives you a baseline to prove each user is uniquely identified and to detect duplicates or shared generic accounts.
Step 2 — Discover and enumerate processes acting on users' behalf
Identify non-human principals: service accounts, scheduled tasks, CI/CD agents, service principals, OAuth apps, API keys, and JWT clients. Techniques: scan for long-lived credentials, list scheduled tasks/crontabs on servers, enumerate cloud service principals (e.g., az ad sp list), review GitHub Actions and CI/CD secrets, and check SaaS admin consoles for connected apps. Flag credentials without expiration and map each service principal to an owner and purpose in your inventory.
Step 3 — Build a device inventory and classification
Capture every device that accesses systems: desktops, laptops, phones, tablets, servers, IoT. Use MDM/EMM (Microsoft Intune, JAMF, Google Endpoint, MobileIron) and endpoint agents (osquery, CrowdStrike sensor) to automatically collect device serial, OS, MAC addresses, hostname, last check-in, and managed/unmanaged status. For small businesses without MDM, perform a network scan (Nmap) and require device registration with a spreadsheet-backed CMDB until you can automate. Classify devices (corporate-owned, BYOD, contractor) and assign minimum configuration baselines.
Step 4 — Implement unique identifiers and eliminate shared credentials
Ensure each user and service principal has a unique identifier that is used consistently across logs and access controls. Prohibit generic shared logins (e.g., "admin", "sales") and replace with role-based access and service accounts with clear naming conventions (svc-ci-build, svc-backup) and documented owners. Enforce strong authentication: enable MFA for interactive access, use certificate-based or token-based auth for devices and services where appropriate, and set password rotation/expiration for non-service accounts.
Step 5 — Instrument logging and link logs to identities and device IDs
Configure audit logging for identity providers, endpoint OS events, VPNs, firewalls, and cloud APIs. Make sure logs include both the user identifier and device identifier (hostname, device ID, or certificate subject). For Windows, enable Sysmon with event forwarding to a SIEM; for cloud, forward Azure AD sign-in logs and Office 365 audit logs to Azure Sentinel or a third-party SIEM. Define retention (even basic CMMC Level 1 benefits from 90 days) and create automated alerts for anomalous use of service accounts or unknown devices.
Step 6 — Implement account and device lifecycle processes
Formalize onboarding, privilege assignment, and offboarding. Integrate HR and identity provisioning so new hires get unique accounts and departing staff immediately lose access (automated disable). For service processes, document purpose, owner, and expiry/rotation of credentials. Enforce device enrollment at onboarding and revoke certificates or MDM profiles at deprovisioning. Schedule periodic access reviews (quarterly for small shops) to validate that accounts and devices in your inventory are still needed.
Step 7 — Monitor continuously, validate with tests, and document evidence
Continuously monitor identity and device posture using automated checks: sign-in anomaly detection, certificate expiry alerts, detection of privileged actions by non-privileged accounts, and unauthorized device connections. Validate controls with periodic tests: run an internal audit that attempts to use a revoked device or expired service account and document results. Keep evidence (exported inventories, access review records, and logs) in a compliance folder mapped to the Compliance Framework control (IA.L1-B.1.V) for contract audits.
Practical tips, risks, and best practices
Tips and best practices: for a small business, prioritize quick wins — enforce MFA for all accounts, require MDM enrollment for corporate devices, and create a simple naming convention (user-firstinitial.lastname, svc-applicationname). Automate deprovisioning by integrating HR with your identity provider (use SCIM where supported). Use low-cost or built-in tools first: Azure AD Free + Intune trial for device enrollment, or open-source osquery for device visibility. Maintain a one-page runbook that maps identifiers to owners and contains steps for emergency revocation.
Risks of not implementing this requirement include inability to attribute actions (making incident response and forensic investigation ineffective), credential misuse by attackers (leading to lateral movement and data exfiltration), contractual noncompliance (fines or loss of DoD contracts), and operational risk from orphaned service accounts and unmanaged devices. Small businesses are attractive targets; lacking clear user/process/device identification materially increases compromise impact.
Summary: follow this 7-step checklist — authoritative identity source, enumerate service principals, device inventory, unique identifiers, logging with identity/device linkage, lifecycle governance, and continuous monitoring/testing — to build an auditable program that meets FAR 52.204-21 and CMMC 2.0 IA.L1-B.1.V expectations under the Compliance Framework. Start with the high-impact actions (MFA, inventory export, and disabling shared accounts), document everything, and iterate toward automation as your organization matures.
