This guide walks a small business through implementing user and device identification controls mapped to FAR 52.204‑21 and CMMC 2.0 Level 1 (Control IA.L1-B.1.V), offering concrete technical steps, low-cost tooling options, real-world scenarios, and the evidence you need for auditors.
What IA.L1-B.1.V / FAR 52.204‑21 expects (Plain English)
At Level 1 the requirement is straightforward: systems that handle Controlled Unclassified Information (CUI) must identify who is connecting and which devices are connecting, and ensure only authorized users and devices can access CUI-containing resources. For a small business this translates into unique user accounts, a maintained device inventory, and access controls that tie identity and device posture (where feasible) to permitted access.
Step-by-step implementation (practical, prioritized)
Follow these practical steps in order—each step builds evidence and reduces risk. Tailor choices to your environment (Windows shop, macOS mix, or cloud-first):
- Define policy and roles: document an Identification and Authentication policy that references IA.L1-B.1.V, describes unique user IDs, device registration, and onboarding/offboarding procedures.
- Build an authoritative user directory: deploy or use an existing directory (Active Directory, Azure AD, or a cloud IAM). Ensure every person has a unique username and assigned role or group.
- Create a device inventory and classification: collect serial numbers, OS, owner, asset tag, and whether the device is company-owned or BYOD. Store this in a CSV or inventory tool (GLPI, Intune inventory, or a simple secured spreadsheet for very small shops).
- Implement device enrollment: require device registration before granting access—use MDM (Microsoft Intune, Jamf, or a low-cost MDM) or certificate enrollment (SCEP/PKI) for network/VPN access.
- Enforce authentication and access controls: configure RADIUS/802.1X for wired/wireless where possible or require VPN with certificate or username+MFA for remote access. Map AD groups to least-privilege resource ACLs.
- Log and retain evidence: enable and centralize authentication logs (Windows Security Event Log, Azure AD sign-in logs, RADIUS logs) and keep retention consistent with your policy (90 days minimum for small shops aiming to demonstrate adherence).
Technical examples and configurations
Example 1 — Small engineering firm (25 users) using Microsoft 365: use Azure AD as the authoritative directory, enable Conditional Access to require device compliance from Intune before permitting access to SharePoint/Teams, enroll company laptops in Intune, and require MFA for remote sign-in. Evidence: Azure AD user list export, Intune device inventory report, Conditional Access policy screenshots, sign-in logs filtered by device compliance.
Example 2 — Mixed-platform office with on-prem network and VPN: deploy FreeRADIUS behind pfSense to authenticate via AD (LDAP) and require client certificates for VPN (OpenVPN or WireGuard with certificate auth). Enroll certificates using a small internal CA (e.g., TinyCA2 or Windows CA) and document issuance records. Evidence: RADIUS logs, VPN connection logs, certificate issuance logs, device inventory linking CN to user.
BYOD and contractor scenarios
For BYOD, require a registration and attestation process: a guest profile in your IAM, restricted access to only non-CUI resources unless the device meets compliance (MDM enrollment, endpoint agent, or ephemeral VPN certificate). For contractors, issue scoped accounts with expiration dates and document account provisioning and deprovisioning. Practical tip: use expiring group membership and automation (PowerShell or cloud IAM APIs) to reduce forgotten accounts.
Logging, evidence, and audit readiness
Auditors will want to see the policy, the current user directory export, a device inventory with timestamps, onboarding/offboarding records, and authentication logs that show who and what authenticated. Implement central logging early (syslog server, SIEM-lite like OSSIM or a cloud log archive). Ensure you can correlate user IDs to device identifiers (MAC, deviceID, certificate subject) in at least several sample log entries.
Risks of NOT implementing identification controls
Without unique user IDs and device identification you face elevated risk of unauthorized access, lateral movement, and data exfiltration. For a small business contracting with the federal government this can mean lost contracts, required remedial audits, and reputational damage. Technically, lack of identification prevents you from enforcing least privilege, detecting compromised accounts, and responding effectively to an incident.
Compliance tips and best practices
Keep these practical best practices front-of-mind: automated onboarding/offboarding to avoid lingering accounts; enforce least privilege via group-based access; prefer certificate-based or device-backed attestation for stronger device identity; collect and retain authentication logs for demonstrable periods; and keep a simple, single source of truth for device inventory. For budget-conscious shops, cloud-managed solutions (Azure AD + Intune) or open-source combos (OpenLDAP + FreeRADIUS + pfSense) provide a balance of cost and capability.
Implementing IA.L1-B.1.V is achievable for small businesses by documenting policy, centralizing user and device records, enforcing device enrollment/certificates, enabling authentication controls, and keeping audit-ready logs; doing so reduces risk and creates clear evidence for FAR 52.204‑21 / CMMC Level 1 assessments.
