Requirement
FAR 52.204-21 / CMMC 2.0 Level 1 - Control - IA.L1-B.1.V ā Identify information system users, processes acting on behalf of users, or devices.
Understanding the Requirement
This control requires that every human user account, any automated process acting on behalf of a user (for example service or application accounts), and each device that connects to your systems be given a unique identity so they can be authenticated and traced. Identifying users, processes, and devices supports accountability, incident investigation, and access control. This guidance aligns with the intent of the FAR 52.204-21 / CMMC 2.0 Level 1 baseline: assign and maintain unique identifiers so you can determine who or what performed an action, when, and from which endpoint.
Technical Implementation
-
Define simple naming conventions: Create a short policy that prescribes unique, unambiguous names for user accounts, service accounts, servers and endpoints. Example: user accounts as firstinitiallastname (jdoe) or first.last (john.doe), servers as Model_Serial or Location-Role-Serial. Document the convention and require it during onboarding.
-
Use centralized identity management: Implement a central directory (Active Directory, Azure AD, or a cloud identity provider) so all human and service accounts are created and managed centrally. Enforce uniqueness at creation, require approval workflows for new accounts, and add metadata tags for owner, department, and purpose.
-
Control and label service/process accounts: Treat processes acting on behalf of users as first-class identities. Create dedicated service accounts with descriptive names (e.g., svc_payroll_sync), document their use, restrict interactive logon, and attach expiration or rotation rules for credentials and API keys.
-
Inventory and identify devices: Maintain an asset inventory that records hostname, serial number, MAC address, device owner, OS, and management status. Use endpoint management (MDM/EDR) to enforce unique device identifiers and automatically enroll new devices so their identity is known before granting network access.
-
Enforce authentication and logging: Require authenticated sessions for all privileged actions and log identity attributes with each event. Configure logs to record user/service account and device identifier (hostname, certificate subject, or IP) to enable event correlation and audits.
-
Implement lifecycle controls and reviews: Integrate identity creation into HR/onboarding and offboarding processes. Perform quarterly reviews to find duplicate or ambiguous accounts, retire unused service accounts, and reconcile the asset inventory against active directory and endpoint systems.
Example in a Small or Medium Business
Acme Tech, a 75-person engineering firm, decides to comply with IA.L1-B.1.V during a customer security assessment. The IT manager publishes an account naming standard: employees use first.last for email and login, contractors use contractor.firstname.last, and service accounts start with svc_. They deploy Azure AD for central identity and enable device enrollment through Microsoft Intune so laptops are automatically tagged with owner and serial number. When the help desk creates a new account, they attach the employee ID and department in Azure AD and require manager approval. Service accounts are logged in a simple spreadsheet and marked with expiration dates; any automation using those accounts must use stored credentials rotated quarterly. Quarterly audits compare the asset inventory to the directory, revealing three orphaned accounts and two devices that haven't checked in with Intune; the IT manager disables the accounts and physically locates the devices. Over time, the firm can trace login events to a named user or device, speeding incident response and satisfying the customer's audit requirements.
Summary
By combining a clear naming policy, centralized identity management, explicit handling of service/process accounts, an accurate device inventory, and routine reviews, SMBs can meet IA.L1-B.1.Vās goal of uniquely identifying users, processes, and devices. These practical, low-cost controls improve authentication, enable reliable logging and audits, and make incident investigation and access control far more effective without requiring heavyweight infrastructure.
