Meeting the IA.L1-B.1.V requirement under FAR 52.204-21 and CMMC 2.0 Level 1 means you must be able to identify and document who (users), what (processes), and which devices are authorized to access contractor-controlled information systems; this post provides a practical, step-by-step checklist and concrete technical guidance geared toward small businesses seeking compliance.
What the control requires (Compliance Framework context)
At a high level, IA.L1-B.1.V expects organizations to establish and maintain an authoritative inventory of authorized users, processes, and devices and to ensure only those approved entities can access Federal Contract Information (FCI) or other covered data. Key objectives include: 1) defining scope and ownership, 2) creating an authoritative inventory (people/processes/devices), 3) applying access authorization rules (who/what/which), and 4) demonstrating repeatable evidence for audits. Implementation notes for small organizations emphasize using existing systems (Active Directory, SSO, MDM, cloud identity) to avoid heavy new tooling while retaining clear records.
Step-by-step implementation checklist
Step 1 — Define scope and owners: document where covered information lives (cloud apps, file shares, endpoints), and assign an owner for each system or domain (e.g., "Finance file share owner: CFO"). Designate an identity owner (IAM lead) responsible for the inventory. Step 2 — Enumerate user sources: list all identity providers (Azure AD, Google Workspace, local AD, Okta), and export user lists with attributes (username, email, role, last login, account status). For example, run Get-AzureADUser or use the Google Workspace Admin > Users export to get a CSV you can import into a control spreadsheet or CMDB.
Step 3 — Map business processes and service accounts: identify automated processes that access covered systems (backup jobs, API integrations, CI/CD runners). Record the process name, purpose, owner, access scope, credentials used (type: service account, API key), and rotation schedule. Step 4 — Create a device inventory: collect endpoint details (hostname, MAC, OS, owner, asset tag, managed/unmanaged, last seen). Use existing management tools (Intune, JAMF, SCCM) to export device reports. For unmanaged BYOD, create a minimal record for any device explicitly allowed to access FCI (owner, device type, platform, approval timestamp).
Technical discovery and verification tactics
Practical discovery tools and commands: perform authenticated directory exports (PowerShell: Get-ADUser -Filter * -Properties Enabled, LastLogonDate; Azure CLI: az ad user list --output json), use MDM/endpoint manager exports (Intune deviceExport, JAMF API), and run controlled network discovery inside your environment (nmap -sn 10.0.0.0/24 for host discovery on an internal network segment) only from authorized admin workstations. Query cloud inventories: AWS (aws ec2 describe-instances, aws iam list-roles), GCP (gcloud compute instances list), and SaaS app admin consoles for active sessions and OAuth apps. Consolidate outputs into a simple CMDB or spreadsheet with unique IDs to cross-reference users, processes, and devices.
Example for a small business (real-world scenario)
Imagine a 30-person engineering firm using Azure AD, GitHub, Google Workspace, and a small fleet of managed laptops (Intune) plus some BYOD. Implementation path: export Azure AD users to CSV, audit GitHub org members and OAuth apps, query Intune for device compliance and serial numbers, and interview the engineering lead to document build servers and their service accounts. Produce a mapping like: "CI Runner (gitlab-runner-01) — Process — Uses service account 'svc-ci' — Allowed repos: internal/private — Owner: DevOps Lead." This mapping demonstrates control over who/what/which and provides audit artifacts (CSV exports, screenshots, owner approvals).
Step 5 — Apply authorization and minimal access rules: convert the inventory into actionable controls — disable or remove accounts not in scope, enforce role-based access groups, and add explicit allow-lists for devices where feasible (VPN/conditional access based on device compliance). Step 6 — Evidence and audit trail: keep exports, change logs, ticket approvals, and periodic review records. For example, retain monthly CSV exports of AD and Intune inventories, ticket links approving device BYOD access, and screenshots of conditional access policies in Azure with timestamps.
Step 7 — Operationalize and automate reviews: schedule quarterly reviews where system owners attest to inventory accuracy. Automate drift detection by comparing nightly exports against your CMDB and flagging unknown entries. Implement simple automation: a script that compares current Azure AD users to the CMDB and opens tickets for new or disabled accounts. Step 8 — Hardening and controls: require MFA for all accounts with access to covered data, enforce least privilege group membership, rotate service credentials and store them in a secrets manager, and require device management or an approved BYOD attestation before granting network or app access.
Risks of not implementing: failure to identify and authorize users/processes/devices leads to orphaned accounts, unmanaged endpoints accessing sensitive data, credential compromise, and untracked service integrations — all of which increase the risk of data exposure and can result in failed FAR/CMMC compliance assessments, contract penalties, or loss of government work. Practically, unmanaged service accounts often become backdoors during breaches; unknown devices can host unpatched vulnerabilities; and undocumented processes can exfiltrate data without detection.
Compliance tips and best practices: keep the inventory simple but authoritative (one source of truth), tie owners to each inventory item, use exportable formats (CSV/JSON) as evidence, enforce periodic attestation (quarterly), and prioritize automation for detection and remediation. For small businesses, lean on built-in cloud controls (conditional access, device compliance) and free/low-cost tooling (scripts, CMDB-lite spreadsheets, ticketing system integrations) to meet the intent of IA.L1-B.1.V without expensive new products.
In summary, meet IA.L1-B.1.V by scoping covered assets, exporting and consolidating identity and device data, mapping business processes and service accounts, enforcing authorization and least privilege, and maintaining repeatable evidence through automation and periodic attestation. This pragmatic approach scales from small businesses to larger contractors while producing the records auditors and contracting officers expect under FAR 52.204-21 and CMMC 2.0 Level 1.
