The IA.L1-B.1.V control in CMMC 2.0 Level 1 (and the safeguarding expectations in FAR 52.204‑21) requires organizations to uniquely identify and authenticate users and devices before granting access to Federal Contract Information (FCI) and other controlled data; implementing this control means you must have repeatable, verifiable processes and technical controls that prove who or what is connecting to your systems and that those endpoints meet minimum posture standards.
What "identify users and devices" means in practice
At the Compliance Framework level this is not just a checkbox — it's a capability set: unique user accounts (no shared logins), machine identities for devices (certificates, device IDs, TPM-backed keys), documented account lifecycle (provisioning and deprovisioning), and authentication mechanisms (passwords with complexity, MFA, certificate-based authentication). For small businesses, meeting IA.L1-B.1.V typically focuses on establishing these basics in a cost-effective, auditable way.
Step-by-step implementation approach
Start with scoping and policy: identify systems and data considered FCI or within the compliance boundary, then create an Identity and Device Management policy that states unique IDs are required, shared accounts are disallowed, and all devices connecting to the environment must be enrolled and meet baseline posture checks. Next, implement technical controls in this order: 1) central identity source (Azure AD, Active Directory, Okta, or LDAP), 2) unique user accounts with MFA enabled, 3) device enrollment (MDM) and device identity issuance (device certificates or managed device objects), and 4) network/access controls that require authenticated identities and device posture before access (conditional access, 802.1X, VPN with client certs).
Technical options and configurations (practical details)
Useful technical building blocks include: certificate-based authentication (X.509) issued via your PKI or a cloud CA; 802.1X + RADIUS (FreeRADIUS/pfSense, Windows NPS, Cisco ISE) for wired/Wi‑Fi access; MDM solutions (Microsoft Intune, Jamf, MobileIron) to enforce encryption (BitLocker/FileVault), screen lock, AV, and patching; and conditional access policies (Azure AD Conditional Access) that require device compliance and MFA for cloud apps. Configure certificates with private keys stored in TPM/secure enclave; avoid relying solely on MAC addresses because they are easily spoofed. For VPNs, prefer client certificate authentication or SAML+device posture checks instead of password-only logins.
Device identity and attestation specifics
For stronger assurance, enroll devices and issue machine certificates using SCEP/Intune or an internal CA; configure systems to present the certificate during TLS or 802.1X authentication. On Windows, enable Windows Hello for Business backed by TPM keys; on macOS use MDM-supplied certificates and enforce FileVault. Implement device posture checks that verify OS version, AV status, disk encryption, and presence in the MDM inventory. Where available, use device attestation features (TPM attestation, Apple DeviceCheck, Android SafetyNet) so that a device's reported identity is cryptographically verifiable.
Real-world small business scenarios
Example 1 — Small Gov contractor (15 people, hybrid work): Use Azure AD as the single identity provider, require Azure AD Join for corporate laptops, enforce Intune enrollment, enable Conditional Access requiring MFA and device compliance for Microsoft 365 and contractor portals, and issue client certificates for VPN access. Implement a simple deprovisioning runbook tied to HR so terminated contractors are removed from groups and their devices are wiped.
Example 2 — Small firm with on-prem services: Use an on-prem AD with NPS + FreeRADIUS for Wi‑Fi 802.1X, deploy pfSense VPN that requires client certificates, manage endpoints with a lightweight MDM (e.g., Mosyle or Jamf for macs), and use osquery + Wazuh for inventory and posture scanning. Keep a spreadsheet or CMDB for asset tracking, but automate discovery with scripts to reduce human error.
Logging, lifecycle, and monitoring
Capture authentication events with both user and device attributes in logs (username, device ID/certificate thumbprint, IP address, time, authentication method). Forward logs to a central SIEM or log collector (Splunk, Elastic, Wazuh) and retain per your retention policy for evidence during an audit. Automate account lifecycle: integrate HR with identity (SCIM) when possible, enforce password rotation policies (or better, passkeys/short rotation with MFA), and have automated actions to disable access on termination. Periodically review device inventory and revoke certificates for decommissioned devices.
Risks of not implementing IA.L1-B.1.V
Without unique identification and device verification you face elevated risk of unauthorized access through shared credentials, device spoofing, or compromised unmanaged endpoints; that can lead to FCI exposure, contractual noncompliance, lost contracts, government penalties, and reputational harm. Practically, an unmanaged laptop connecting to your network could introduce ransomware or exfiltrate sensitive data — and during an audit you may be unable to prove controls were in place, which can cost you eligibility for future federal work.
Compliance tips and best practices
Keep these pragmatic tips in mind: scope narrowly and expand; start with users and cloud services where risk is highest; prefer managed identities and device enrollment over ad-hoc controls; use MFA everywhere (phishing-resistant methods when possible); avoid shared accounts and document any exceptions; automate provisioning/deprovisioning and certificate renewal; conduct quarterly device inventory reconciliations; and run tabletop exercises to validate incident response for compromised identities or devices. For budget-conscious teams, open-source tools (pfSense + FreeRADIUS, OpenVPN with client certs, osquery) combined with cloud identity (Azure AD free tier) can meet many requirements without large overhead.
In summary, meeting FAR 52.204‑21 and CMMC 2.0 Level 1 IA.L1-B.1.V requires a combination of policy, identity tooling, device enrollment, and enforcement (MFA, certificates, posture checks) plus logging and lifecycle management; for small businesses the pragmatic path is to scope, centralize identity, enroll devices, require MFA and device compliance, and automate deprovisioning—this both reduces risk and produces the evidence auditors and contracting officers expect.
