Requirement
FAR 52.204-21 / CMMC 2.0 Level 1 - Control - IA.L1-B.1.VI – Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
Understanding the Requirement
This control requires that your organization confirm who — or what — is requesting access before granting it. At a minimum that means authenticating human users with credentials, ensuring any automated processes or service accounts are verified when they act on a user's behalf, and verifying devices before they connect to internal systems. For SMBs working toward FAR 52.204-21 / CMMC 2.0 Level 1 compliance, focus on practical, enforceable mechanisms (passwords, managed accounts, device enrollment) that prevent anonymous or unauthenticated access.
Technical Implementation
- Enforce password protection and complexity: Use Active Directory Group Policy or your endpoint management tool to require unique usernames and passwords for all interactive accounts. Set minimum password length (for example, 12 characters), enable complexity rules, and configure account lockout after a small number of failed attempts (e.g., 5 attempts) to slow brute-force attacks.
- Eliminate default and shared credentials: Change default passwords on routers, switches, firewalls, and IoT devices immediately when installed. Replace shared or generic accounts with unique service accounts; where local admin access is needed, use a tool like Microsoft LAPS or a password manager to rotate and centrally manage local administrator passwords.
- Require device authentication/enrollment: Require company devices to be enrolled in an MDM/endpoint management solution (Microsoft Endpoint Manager/Intune, Jamf, etc.) before they can access file shares or email. For wired/wireless network access, use WPA2/WPA3-Enterprise or 802.1X where practical, or at minimum a VPN with device checks for remote access.
- Control and authenticate service/process accounts: Avoid embedding plaintext credentials in scripts. Use managed service accounts, credential vaults, or OS-managed service accounts that require authentication when processes act on behalf of users. Restrict service accounts to the minimum permissions needed.
- Enable logging and periodic review: Turn on authentication logs on domain controllers, VPNs, and perimeter devices. Review failed authentication attempts and unusual device connection events on a weekly basis to detect misconfigurations or attempted unauthorized access.
Example in a Small or Medium Business
A local engineering firm with 35 employees decides to meet this requirement. The IT lead, Alice, first applies a Group Policy that requires all domain users to have passwords at least 12 characters long, enforces complexity, and locks accounts after five failed logins. She replaces default admin credentials on the office router and the new NAS device, recording the new passwords in the company password manager. Laptops and phones must be enrolled in the company MDM before they can access email or mapped drives; devices not enrolled are placed on a separate guest VLAN with no access to internal resources. For shared tools that must run unattended, Alice creates managed service accounts and stores their credentials in the enterprise credential vault instead of hard-coding them in scripts. She also installs LAPS on Windows endpoints so local administrator passwords are unique and rotated automatically. Finally, Alice configures authentication logging on the domain controller and sets a weekly alert to review failed logins and new device enrollments so she can catch misconfigurations quickly.
Summary
Authenticating users, processes, and devices before granting access is a straightforward but essential control. For SMBs, combining a practical password policy, removal of default/shared credentials, device enrollment through an MDM, managed service accounts, and basic logging provides strong, achievable enforcement. Together these policy and technical measures ensure only verified identities and devices can access your systems, meeting the intent of the control while remaining realistic for a small IT team to implement and maintain.
