Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - IA.L2-3.5.2 – Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
Understanding the Requirement
This control requires that before granting access to any part of your network or systems you confirm who (or what) is requesting access. In practice that means authenticating each user, each process acting on behalf of a user, and each device that connects to or accesses systems. For an SMB implementing NIST SP 800-171 REV.2 / CMMC 2.0 Level 2, this typically starts with enforcing credential-based logins (unique usernames and strong passwords) and extends to service account controls, device authentication, and multi-factor controls where appropriate.
Technical Implementation
- Enforce unique user accounts and strong passwords: Ensure every person has a unique account; disable shared logins. Use Group Policy (Active Directory) or Microsoft Endpoint Manager to require complex passwords, minimum lengths (e.g., 12 characters), password history, and lockouts after failed attempts. Change or remove any factory-default credentials on all equipment during initial deployment.
- Implement multi-factor authentication (MFA): Require MFA for all remote access (VPN, RDP) and for privileged accounts. For cloud services (Office 365, Azure, Google Workspace), enable built-in MFA and require it for administrative roles. Use push-based authenticators (e.g., Microsoft Authenticator, Duo) or hardware tokens where possible.
- Authenticate processes and service accounts: Treat service accounts as first-class identities. Use managed service accounts, application credentials rotated via a secrets manager (e.g., Azure Key Vault, HashiCorp Vault), and require mutual authentication for API calls. Avoid embedding long-lived plaintext credentials in scripts or configuration files.
- Device authentication and posture checks: Enforce device-level authentication before granting network or resource access. Use 802.1X, certificates, or MDM/endpoint management to verify device identity and health (patch level, antivirus status) prior to access. Block devices that fail posture checks from sensitive networks.
- Least privilege and role-based access: Limit access to only what users and processes need. Implement role-based groups in AD or your identity provider, and review group membership quarterly. Combine least privilege with authentication controls so successful identity verification still results in only appropriate access.
- Logging, monitoring, and periodic review: Log authentication events (successful/failed logins, service account use, certificate expirations). Send high-risk events (multiple failures, logins from new locations) to your SIEM or central log repository and review alerts. Periodically audit accounts and devices and remove stale identities.
Example in a Small or Medium Business
Alice is the IT manager at a 60-person engineering firm. When she joins, she immediately deploys Group Policy to require unique user accounts and strong passwords across the Windows domain, and she changes default passwords on all new network devices. For remote employees and contractors she configures the VPN to require multi-factor authentication and integrates the company’s Azure AD for single sign-on to cloud services. Service accounts used by backup and monitoring tools are converted to managed service accounts with credentials stored and rotated in a secrets manager; scripts are updated to fetch credentials at runtime instead of containing them inline. Alice also enrolls company laptops and mobile devices in Microsoft Endpoint Manager so each device presents a certificate and passes a posture check before it can access internal file shares. She configures logging for authentication events and sets alerts for multiple failed login attempts or new device enrollments, and she schedules quarterly reviews to remove inactive accounts and re-evaluate MFA coverage. When a contractor’s laptop is lost, Alice revokes its device certificate and forces a credential rotation for the contractor’s accounts, limiting exposure while the incident is investigated.
Summary
Requiring identity verification for users, processes, and devices is a foundational security control that SMBs can implement using a combination of policy and technical measures: unique accounts and strong password policies, multi-factor authentication, managed service accounts and secrets rotation, device authentication through MDM or certificates, and continuous logging and review. Together these controls ensure that access is granted only after an identity is verified and that access is constrained to what the authenticated identity is authorized to do, meeting the control objective in a practical, repeatable way for small and medium organizations.
