This post explains, in practical, step-by-step detail, how to create an implementation checklist and a complete evidence package to meet the identification and authentication control IA.L1-B.1.V as it is applied under FAR 52.204-21 and CMMC 2.0 Level 1 within your Compliance Framework program.
What IA.L1-B.1.V means in plain terms
At a high level the control requires that your contractor information system identify and authenticate users before allowing access to covered information (including Controlled Unclassified Information, or CUI). For Compliance Framework mapping, treat IA.L1-B.1.V as a basic identification and authentication requirement: unique user identities, proof of identity (authentication), account lifecycle management, and logging of authentication events. CMMC Level 1 focuses on basic safeguarding: you do not need enterprise-grade identity platforms to comply, but you do need demonstrable, repeatable controls that prevent anonymous or shared-account access to CUI-related systems.
Implementation checklist: actionable steps for small businesses
Use the checklist below as your primary project plan. Each checklist item should be mapped to a piece of evidence collected for the evidence package.
- Policy and Roles: Create or update an Identification & Authentication policy that defines unique IDs, permitted authentication mechanisms, password rules, and who is responsible for account lifecycle (HR + IT).
- Inventory: Identify all systems that store, process, or transmit covered information and list the authentication method each uses (local OS, cloud IdP, VPN, SaaS).
- Unique Accounts: Ensure no shared user accounts for day-to-day use; define a process for approving any true service/shared accounts with compensating controls.
- Password & Authentication Settings: Implement and enforce password complexity/length, lockout thresholds, and account inactivity deactivation. Where feasible, enable multi-factor authentication (MFA) for remote or administrative access—document any exceptions.
- Onboarding/Offboarding: Implement a documented workflow that ties HR actions (hire/terminate) to account creation and revocation; automate where possible.
- Logging & Review: Enable authentication logging (event IDs, syslog, CloudTrail, Azure AD sign-in logs) and schedule periodic reviews of failed/successful authentication events and active account lists.
- Training: Provide basic user training covering password hygiene, phishing awareness, and reporting of lost credentials; keep attendance records.
- POAM: If any items are not yet implemented, create a Plan of Action & Milestones (POA&M) with prioritized remediation steps and target dates.
Evidence package: concrete artifacts to collect
Map each checklist item to evidence you will present to an auditor or assessor. Required artifacts should include a mix of policy documents, technical configuration snapshots, logs, and process records. Typical evidence items:
- Identification & Authentication policy (signed/dated), and a short mapping document that cites IA.L1-B.1.V and FAR 52.204-21.
- System inventory spreadsheet showing where covered information resides and what authentication is used for each system.
- User account roster (export from AD/Azure/Google Workspace) showing unique IDs, creation dates, last logon, and status (active/disabled).
- Configuration screenshots or exported settings: password policy settings, lockout thresholds, MFA settings, Conditional Access rules, and local OS PAM configuration.
- Audit logs showing recent authentication events (successful and failed) with timestamps—retain relevant extracts (e.g., last 90 days) with explanation of search criteria.
- Onboarding/offboarding records: HR notification emails, ticket system records showing account creation/deactivation, and a sample termination checklist entry.
- Training attendance log and training materials (slides or LMS completion report).
- POA&M document and any risk acceptance forms for exceptions.
Technical implementation specifics (examples and commands)
Small businesses commonly run a mix of cloud and on-prem systems. Below are actionable config examples you can implement quickly and include in your evidence package: Linux: enforce password aging and lockout with PAM—example lines to review in /etc/pam.d/common-auth and /etc/pam.d/common-password and use chage -M 90 username to set max password age; use faillock or pam_tally2 to lock accounts after n failures. Windows (local or AD): document Group Policy settings (Minimum password length = 12, Account lockout threshold = 5, Lockout duration = 30 minutes) and export with gpresult /h policy.html. Azure AD / Microsoft 365: enable Security Defaults or a Conditional Access policy requiring MFA for sign-in to admin and remote access; export sign-in logs from Azure AD for evidence. Google Workspace: enforce 2-step verification, show Admin console settings export and a sample user 2SV enrollment report. For SaaS: capture account settings screen, and for VPN appliances capture authentication logs or RADIUS server logs.
Real-world small-business scenario
Example: Acme Engineering (20 employees) uses Microsoft 365 for email, an on-prem Windows server for file shares, and a cloud-hosted CRM. To comply: Acme updates its I&A policy, enables Azure AD Security Defaults (MFA for admin operations), audits all user accounts and deactivates three inactive accounts, implements a ticket-based onboarding/offboarding process that HR triggers, configures Group Policy for password settings, and schedules quarterly account reviews. Evidence collected includes the policy document, Azure AD sign-in logs showing MFA, AD export of users with lastLogon timestamps, ticket system records (create/deactivate), and the training completion report. Acme documents a POA&M for tightening local file-share permissions over the next 60 days.
Compliance tips, best practices, and risks of non‑implementation
Tips: treat identity as the primary control — invest time in automating onboarding/offboarding, use cloud IdPs with SSO where possible to centralize control, and log all authentication activity with at least 90 days retention for small organizations. Best practices include eliminating shared accounts, enabling MFA for any remote access, and performing quarterly access reviews. Risks of not implementing IA.L1-B.1.V controls include unauthorized access to CUI, data exfiltration, contract noncompliance leading to corrective actions or loss of contracts, potential reporting obligations under FAR, and reputational harm. Audit failure often stems from weak evidence (e.g., policy exists but no logs or lifecycle records), so prioritize building reproducible evidence channels now.
Summary
To meet FAR 52.204-21 / CMMC 2.0 Level 1 identification and authentication requirements under IA.L1-B.1.V, assemble a simple, repeatable program: document policy, inventory systems, enforce unique identities and reasonable password/authentication controls, log and review authentication events, and keep onboarding/offboarding tightly coupled to HR. Build an evidence package that includes policy, technical configurations, user rosters, logs, and process records — and maintain a POA&M for any gaps. For small businesses, practical wins are automation of lifecycle events, centralized identity (cloud IdP), and demonstrable logs; these produce the strongest evidence and the lowest compliance risk.
