This post gives a practical, step-by-step approach for small businesses and contractors to implement FAR 52.204-21 and CMMC 2.0 Level 1 control IA.L1-B.1.V — Identify Users, Processes, and Devices — focusing on hands-on tasks, evidence you can collect, and real-world examples so you can demonstrate compliance to auditors and prime contractors.
Why identification matters for Compliance Framework and what is at stake
At Level 1 and under FAR 52.204-21, the objective is simple: know who and what is accessing Controlled Unclassified Information (CUI) or contractor systems supporting government work. If you cannot reliably identify users, processes, and devices you expose CUI to unauthorized access, increase risk of malware spread, and create audit failures that can cost contracts, revenue, or even lead to suspension. For small businesses, failing to implement these controls commonly results in compromised credentials, lateral movement by attackers, and difficulty proving required safeguards during compliance assessments.
7 Practical steps to identify users, processes, and devices
Step 1 — Build a minimal, authoritative inventory (users + devices + processes)
Create a single inventory (CSV or small CMDB) with columns for: unique ID, owner, username, role, device hostname, MAC, serial, IPv4, OS, last-seen timestamp, and enrolled MDM status. Example: a 20-person contractor can maintain this in a shared, access-controlled spreadsheet (Google Workspace or SharePoint) or a lightweight CMDB like GLPI. Evidence: export of the CSV, change history, and a policy that names the inventory owner. Populate the “processes” column with business-critical services (e.g., “Accounting-QuickBooks-Service” or “VPN-Client-Process”) so auditors can tie processes to business functions.
Step 2 — Ensure unique, auditable identities and eliminate shared accounts
Assign every individual a unique user ID and disable generic/shared accounts. Use Azure AD / Microsoft Entra, Okta, or an on-prem AD for identity management; if you use local device accounts, map them to user identities in your inventory. For small shops: export AD users (PowerShell: Get-ADUser) or Azure AD exports to show your roster. Evidence: user list export, onboarding/offboarding checklists, and a policy prohibiting shared credentials. Shared accounts break non-repudiation and are a common audit failure.
Step 3 — Enroll devices in an endpoint management solution
Use an MDM or EMM (Intune, Jamf, or a small-business option like SimpleMDM) to enroll laptops, phones, and tablets; for servers use configuration management (SCCM/Chocolatey/Ansible). Enrollment gives you device identifiers (device ID, serial, OS version) and allows you to show "managed" status. Evidence: MDM enrollment screenshots, device compliance reports, and enrollment logs. For mixed environments, at minimum tag devices in your inventory when they are issued and require registration before access to government networks.
Step 4 — Map and monitor critical processes and their associated accounts
Identify background services and automated processes that access systems (backup services, service accounts, scheduled tasks). Document which account each process uses and whether the account is interactive or non-interactive. Example: label a scheduled SFTP transfer as "SFTP-Backup-Process" and record the service account and source device. Use process monitoring (osquery, Sysinternals PsList, or native task managers) to periodically snapshot running processes and reconcile them against your documented list.
Step 5 — Implement simple network and host visibility to reconcile reality to inventory
Run regular network scans (Nmap) and use DHCP logs, ARP tables, or Active Directory last-logon times to detect unmanaged devices. On endpoints, run an agentless inventory (osquery) or a light agent to capture installed processes and open ports. For evidence, keep scan reports and reconciliation notes that show newly discovered items were either added to inventory or remediated (e.g., removed or blocked). Small businesses can schedule monthly scans and automate ticket creation for unknown devices.
Step 6 — Document onboarding/offboarding and enforce access lifecycle
Formalize how users and devices enter and leave the environment: onboarding checklist (create account, enroll device, assign role), and offboarding checklist (revoke access, wipe device, remove from inventory). Use automated scripts where possible (PowerShell to disable AD account and remove from groups; Intune to retire device). Evidence: completed checklists, timestamps of account disablement, and MDM wipe logs. Consistent lifecycle controls are frequently requested by auditors to demonstrate you can reliably identify active vs. inactive entities.
Step 7 — Maintain logs and simple audit trails for 90 days (or per contract) and correlate
Capture authentication and device enrollment logs that show who accessed what and from which device. For small environments, configure Windows Event Forwarding or use a lightweight SIEM (Splunk Light, Elastic Cloud, or even centralized syslog) to store logs for the contractually required period. Correlate user logins with device IDs during sampling to show identification works end-to-end. Evidence: authentication logs, MDM enrollment timestamps, and sample correlation reports used during internal review or external assessment.
Compliance tips, technical specifics, and summary
Best practices: require unique IDs and disable generic accounts; use role-based access so user inventory maps to access permissions; prioritize enrolling devices that access CUI; keep an evidence bundle (inventory export, policy, onboarding checklists, MDM reports, and sample logs) for assessors. Technical notes: use PowerShell or AzureAD Graph to script user/device exports, use osquery for consistent process snapshots across OSes, and schedule Nmap + DHCP reconciliation monthly. Risk of non-implementation includes unauthorized access, inability to respond to incidents, and loss of contracts or penalties; for a small business, a single compromised unmanaged device is often the root cause of breaches.
In summary, implementing IA.L1-B.1.V under FAR 52.204-21 / CMMC 2.0 Level 1 is achievable for small businesses by building a single authoritative inventory, enforcing unique user IDs, enrolling devices in an MDM, documenting processes and lifecycle procedures, and keeping simple logs for correlation — all backed by tangible evidence you can produce during an assessment. Start with the seven steps above, automate exports where possible, and keep the inventory current: that combination both reduces risk and demonstrates compliance.
