FAR 52.204-21 and CMMC 2.0 Level 1 control IA.L1-B.1.V require that organizations uniquely identify users and devices that access Controlled Unclassified Information (CUI) and contractor systems; this guide walks a small-business IT owner through an auditable, practical implementation using everyday tools like Active Directory, cloud identity providers, mobile device management (MDM), and network access controls (NAC).
Implementation overview — what to achieve and why it matters
The objective under the Compliance Framework is simple: every human user and every device that interacts with your environment must be identifiable and traceable. Concretely you need a repeatable enrollment/onboarding process, unique user and device identifiers, enforcement of authentication for access, and evidence (reports/logs) you can present during assessments. That means building (or documenting) an inventory, enrollment workflows, authentication configuration, and logging/retention processes tailored to your IT footprint.
Step 1 — Inventory and baseline (technical details and artifacts)
Start by creating a canonical inventory of users and devices. For users, export your identity store (Active Directory, Azure AD, Okta) to a CSV with columns: unique ID (sAMAccountName or Azure AD objectId), display name, email, role/group membership, status, and date created. Example PowerShell for on-prem AD: Get-ADUser -Filter * -Properties DisplayName,EmailAddress | Select-Object SamAccountName,DisplayName,EmailAddress,WhenCreated | Export-Csv users.csv. For devices, use your MDM or endpoint manager to export enrolled device IDs, platform (Windows/macOS/iOS/Android), hostname, serial, and last-checkin timestamp. Those CSVs are primary artifacts for Compliance Framework evidence and will help detect orphaned accounts or unmanaged endpoints.
Step 2 — Enforce unique identification and authentication
Ensure every user has a unique account and avoid shared logins. Implement an identity provider (IdP) such as Azure AD, Okta, or a hardened on-prem AD. For devices, enroll them in an MDM (Microsoft Intune, Jamf, or a comparable product) and apply device identifiers (device IDs, certificate CNs). Technical controls to configure: require MFA for interactive logins (TOTP or FIDO2 keys), configure conditional access policies to deny access from unmanaged devices, and use certificate-based authentication (EAP-TLS) for Wi‑Fi and VPN where feasible. For device certificates, adopt a naming convention (CN=device-hostname; OU=site; serial) and automate issuance with SCEP/Intune or a lightweight internal PKI to avoid manual certificate handling.
Step 3 — Enrollment, segmentation, and access control
Operationalize identification with clear onboarding/offboarding steps: (1) create user account in IdP and add to role groups; (2) enroll endpoint in MDM and assign configuration profile; (3) issue device certificate or token; (4) validate posture via NAC. Use network segmentation to separate unmanaged or IoT devices from CUI-handling assets: place them on separate VLANs, enforce DHCP-based access control with NAC (FreeRADIUS + packet filter or commercial ISE), and configure ACLs so only identified and compliant devices access sensitive servers. For small businesses with limited budget, a managed switch + VLANs + an inexpensive RADIUS server for 802.1X can deliver large risk reduction at low cost.
Logging, monitoring, and evidentiary artifacts for auditors
Centralize authentication and device logs so each access event contains a unique user and device identifier. For Windows endpoints, enable Windows Event Forwarding or a lightweight SIEM (Splunk, Elastic, or a cloud logging service) to collect logon events, device enrollment events, and MDM check-ins. Key log fields to capture: timestamp, user principal name, source IP, device ID, authentication method, and event outcome. Retain logs per your contract and assessment expectations (commonly 90–365 days depending on contract clauses). When preparing for an assessment, export: (a) user export CSV with group membership, (b) MDM enrollment reports, (c) NAC access logs showing MAC/IP to device ID mapping, and (d) conditional access policy screenshots — these are concrete artifacts that demonstrate IA.L1-B.1.V compliance.
Real-world small-business scenarios
Scenario A: A 12-person SaaS shop uses Azure AD + Intune. Implementation: onboard all employees into Azure AD, require MFA, use Intune to enforce BitLocker and device enrollment; Conditional Access blocks sign-ins from unmanaged devices. Evidence: Azure AD user export, Intune device compliance report, conditional access policy screenshot, and login audit showing deviceID & user. Scenario B: A small engineering firm has 20 machines and several shop-floor IoT sensors. Implementation: create two VLANs (office, OT), deploy FreeRADIUS + host-based certificates for OT gateway authentication, enroll laptops in Jamf for patching and inventory, and use NAC to keep unknown IoT on a quarantined VLAN until approved. Evidence: VLAN config + NAC logs mapping MAC to certificate CN, MDM inventory, and the inventory CSV described earlier.
Compliance tips, best practices, and risk if you don’t implement
Best practices: enforce least privilege by using AD groups to assign role-based access, automate onboarding/offboarding with a simple ticket + script so accounts are created and deprovisioned reliably, and codify device naming and certificate issuance to avoid misidentification. Keep an offboard checklist that revokes device certificates, disables the IdP account, and removes MDM profiles. Risks of omission include impersonation (shared/ghost accounts), lateral movement from unmanaged devices, failure of audits leading to contract loss or remediation demands, and potential data exposure. Even a small gap—an unmanaged laptop with stale credentials—can be the vector that compromises CUI and your contract standing under FAR.
In summary, implementing IA.L1-B.1.V under the Compliance Framework is achievable for small businesses by combining a verified inventory, unique user/device identifiers, enforced authentication (MFA and device certificates), enrollment via MDM/NAC, and centralized logging; preparing the specific CSVs and reports described here gives you the auditable evidence assessors expect and materially reduces risk to your organization.
