Identifying all information system users, running processes, and devices is a foundational step for meeting FAR 52.204-21 and CMMC 2.0 Level 1 (IA.L1-B.1.V); this post gives a practical, step-by-step approach tailored to a Compliance Framework implementation for small businesses, showing tools, commands, and policy-level actions you can adopt immediately.
Understanding the requirement and key objectives
IA.L1-B.1.V requires organizations to identify information system users, processes, and devices so that access and accountability can be enforced and monitored; for Compliance Framework programs the core objectives are (1) establish a complete and authoritative inventory of users/accounts, (2) map active processes and the accounts that run them, and (3) maintain an up-to-date inventory of devices that access or store contract information. Implementation notes: use automated discovery where possible, store inventories in a CMDB/asset database, and align identification with your identity and access management (IAM) lifecycle.
Step-by-step implementation
1) Define scope and boundaries
Start by scoping which systems contain or process controlled unclassified information (CUI) or contractor-controlled information under FAR 52.204-21. For a small business this typically includes employee laptops, corporate Wi‑Fi, office NAS, any on-prem servers, and cloud tenants (Office 365, AWS, Azure). Create a simple scope map: network segments, cloud accounts, and business apps. Assign an owner (IT lead or compliance owner) responsible for running discovery and maintaining the inventory.
2) Discover users and accounts (practical tools and commands)
Pull authoritative lists from identity providers: Active Directory (dsquery user -limit 0 / PowerShell Get-ADUser -Filter * -Properties Enabled,whenCreated), Azure AD (Get-AzureADUser), or your SAML/SCIM provider. Include local accounts for servers and devices. For lightweight environments: export user lists from G Suite/Office 365. Capture metadata per account: username, display name, email, account type (human/service), status, last logon timestamp. For audit evidence, save CSV exports and record the query used. Automate recurring exports with scheduled PowerShell, AWS Lambda or cron jobs to keep the inventory fresh.
3) Identify running processes and map to accounts
On Windows, collect process creation and ownership using Sysmon (Event ID 1) or native tasklist /v and PowerShell Get-Process | select Name,Id,StartInfo. Collect Windows Event IDs related to logon (4624) and process creation (4688 or Sysmon 1). On Linux, use ps -eo user,pid,cmd and systemctl list-units --type=service to map daemons to users. For containers, docker ps --format ' ' and kubectl get pods -o wide. Identify service accounts and API keys used by processes (e.g., a web app running under db_user). Flag any processes running as high-privilege accounts and document why they require those privileges.
4) Discover devices and network endpoints
Inventory endpoints using MDM/UEM (Microsoft Intune, Jamf, MobileIron), endpoint management (SCCM), or free tools like Snipe-IT / Spiceworks. Network discovery techniques: DHCP lease exports, switch MAC tables, RADIUS accounting logs, and simple scans such as nmap -sP 192.168.1.0/24 for local networks. For SNMP-enabled devices, use snmpwalk -v2c -c
5) Build and maintain an inventory (CMDB) and link artifacts
Create a minimal CMDB schema: unique ID, type (user/process/device), owner, classification (CUI/no-CUI), source of truth, last updated, and evidence link (CSV, log snapshot). Small businesses can use Snipe-IT, a simple SharePoint/Google Sheet with API integrations, or a ticketing system that supports asset fields. Integrate account and device inventories with IAM and provisioning systems so deprovisioning triggers updates in the CMDB. Store evidence of discovery runs (script outputs, API dumps, SIEM queries) to demonstrate compliance during assessments.
6) Continuous monitoring, reviews, and automation
Turn identification into a continuous process: schedule automated discovery weekly or monthly, run quarterly access reviews where managers confirm active users, and perform ad-hoc discovery after major hires or procurements. Implement basic monitoring: forward Windows and Linux logs to a lightweight SIEM/Wazuh or cloud-native log store to detect new devices or unexpected service account use. Use alerts for new unknown devices connecting to corporate VLANs or for processes started by atypical accounts. Document and version your discovery scripts and keep their outputs as time-series artifacts for trend analysis.
Real-world small-business scenario and compliance tips
Example: a 30-employee contractor uses Office 365, one on-prem Windows file server, and an AWS account for application hosting. Implementation: enroll endpoints in Intune for device inventory; export Azure AD users weekly; deploy osquery on endpoints to report running processes and installed software; use AWS CLI to list instances and attach owner tags; centralize all outputs in a Snipe-IT instance and ingest critical logs into Wazuh for alerting. Compliance tips: label contractor and third-party accounts, enforce unique accounts (no shared passwords), retire service accounts that are unused for 90 days, and document every step and script output as evidence. Low-cost tools include osquery (process and file visibility), Wazuh (log ingestion and alerting), and Snipe-IT (asset inventory).
Risks of not implementing this control include undetected insider or external compromise (unauthorized accounts or rogue processes), increased attack surface (unknown devices on the network), inability to provide audit evidence during a FAR/CMMC assessment, and potential contract loss or penalties. Technically, lack of identification prevents effective application of least privilege, timely patching, and incident containment—enabling lateral movement, data exfiltration, and long-dwell breaches.
Summary: Meet IA.L1-B.1.V by scoping systems, automating discovery of users/processes/devices, storing outputs in a CMDB, and running continuous reviews and monitoring; use tools that match your budget (Intune/Azure AD for Microsoft shops, osquery/Wazuh for open-source stacks, Snipe-IT for assets), document everything, and implement simple policies (unique accounts, service account management, quarterly reviews) to close gaps. Start with a discovery sprint this week: export user lists, run network and endpoint scans, and populate a central inventory—those outputs will be your primary compliance artifacts and the basis for further security controls.
