How to Meet CMMC IA.L1-B.1.VI

Requirement

IA.L1-B.1.VI – Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems. This control comes from FAR 52.204-21 / CMMC 2.0 Level 1.

Understanding the Requirement

This control requires you to positively identify who or what is trying to use your systems before granting access. For people, that usually means a unique username and a difficult-to-guess password. For processes acting on behalf of users (like services, scripts, or applications), it means using dedicated service accounts or keys that are authenticated before they run. For devices, it means verifying that only approved, known devices can connect or log in. In short: no identity, no access—whether it’s a user, a process, or a device.

Policies and Procedures Needed

Establish clear procedures for account onboarding and offboarding (create, change, disable, and remove accounts), device authorization (approve and enroll company-owned and BYOD devices before they can connect), and the management of service accounts (unique credentials, limited scope, documented ownership). Define password standards, default credential changes, and how authentication is enforced for VPN and Wi‑Fi. Schedule periodic access reviews to validate that only active, authorized users, processes, and devices retain access, and require prompt revocation when roles change or staff depart.

Technical Implementation

• Require passwords for all user accounts and remove/disable any accounts without a password. Use Group Policy or Microsoft Endpoint Manager to enforce password policies (minimum length, complexity, lockout after failed attempts, and password expiration/rotation that aligns with your policy).
• Eliminate default credentials on all systems and network equipment. On first use, change factory usernames/passwords on routers, firewalls, cameras, printers, and applications to strong, unique passwords stored in an approved password manager.
• Control device access by enrolling endpoints before they can connect to corporate resources. Join Windows devices to Active Directory or Azure AD, require device compliance via Microsoft Endpoint Manager, and block VPN/Wi‑Fi access for devices that are not enrolled or do not meet compliance (e.g., no password, out-of-date OS).
• Authenticate processes with dedicated service accounts or application credentials. Create unique, non-interactive service accounts with least-privilege permissions, store secrets securely (e.g., in a password manager or key vault), and rotate them on a defined schedule or when staff roles change.
• Secure remote and wireless access with authentication that ties to identities you control. Use per-user VPN accounts and WPA2/WPA3-Enterprise for Wi‑Fi (individual user/device credentials), and disable guest/anonymous access to internal networks.
• Harden local administrator access. Disable shared/local admin where possible, or use Windows LAPS to enforce unique, rotating local admin passwords and restrict who can retrieve them.

Example in a Small or Medium Business

A 55-person manufacturing company assigns the IT manager, Alice, to implement IA.L1-B.1.VI. She creates a Group Policy that enforces a 14-character minimum password, account lockout after five failed attempts, and password protection on every user account. Alice enrolls all laptops in Microsoft Endpoint Manager and configures a compliance policy so only enrolled, compliant devices can access the VPN and company Wi‑Fi. When a new router arrives with the default password “admin123,” she immediately changes it to a unique, complex password and stores it in the company’s password manager. For nightly backups, Alice creates a dedicated “svc_backup” service account with only the permissions required for backup jobs and records ownership, purpose, and rotation dates. She disables any unused default accounts on servers and network gear. During offboarding, HR notifies Alice, who promptly disables the user account, removes device access, and verifies that any associated service credentials or API keys are rotated. A quarterly review confirms that all active accounts, devices, and service credentials are still required and properly authenticated.

Summary

By defining clear account and device procedures, enforcing strong authentication for users, processes, and devices, and removing default or anonymous access, an SMB can reliably ensure that only verified identities reach company systems. Practical controls—like password policies via Group Policy or Endpoint Manager, device enrollment requirements, per-user VPN/Wi‑Fi credentials, and managed service accounts—close common gaps and make authentication a prerequisite to access. Combined with routine access reviews and disciplined offboarding, these measures meet IA.L1-B.1.VI and provide a solid foundation for protecting business information.