This post gives a practical, hands-on checklist for meeting IA.L1-B.1.V (identifying users, processes, and devices) under the Compliance Framework for FAR 52.204-21 / CMMC 2.0 Level 1 β focused on small businesses that need straightforward, repeatable steps to inventory, uniquely identify, and authenticate accounts, services, and endpoints before granting access to Controlled Unclassified Information (CUI) or contractor-controlled data.
What the control requires (high level)
At its core, IA.L1-B.1.V requires that every actor β human user, automated process, and managed device β be uniquely identified and authenticated prior to being allowed access to systems and data in scope. For Compliance Framework implementation this means: assign unique IDs, document service/process identities, maintain an enforceable device inventory, and ensure authentication is in place (passwords, certificates, keys, or federated identity with MFA where possible). The goal is traceability: when an event occurs you can map it back to a specific user, process, or device.
Practical implementation checklist
Use the following checklist as an implementation sequence you can follow this week. Each item includes suggested tools and small-business-friendly options: 1) Create/maintain an identity registry (CMDB) that records user ID, role, status, assigned devices, and authentication method β start with a protected spreadsheet or use free tiers of NetBox/Lansweeper; 2) Enforce unique accounts β disable shared logins and create named service accounts for automated processes; 3) Inventory devices by hostname, MAC, serial, OS, UUID, and ownership β collect DHCP lease logs, ARP tables, and run endpoint discovery (nmap, lansweeper agent, osquery); 4) Inventory running processes and services on servers and endpoints β use tasklist/ps/systemd and capture service names, service account, executable path, and listening ports into your registry; 5) Ensure authentication mechanisms exist β domain accounts (Azure AD/AD), local accounts with documented password policies, device certificates, or SSH keys; 6) Implement basic enforcement β join endpoints to domain or MDM (Intune/Jamf), enforce device compliance checks (antivirus, disk encryption); 7) Configure logging and correlation β send Windows Events/Syslog to a central collector (WEF + Elastic/Splunk/Graylog) and retain appropriate logs for investigations; 8) Add lifecycle controls β onboarding, transfer, offboarding workflows that include account/device assignment and removal rules (disable within 24β72 hours of separation). Each checklist item should be assigned an owner and a target completion date in your Compliance Framework program.
Technical details and examples
Technical specifics help small teams implement this without overengineering: use username@company (or UPN) for unique IDs; configure Azure AD or OpenLDAP as the authoritative identity store; use certificates (SCEP/ACME) for device identity and 802.1X or MDM for network access control; store service account credentials in a vault (HashiCorp Vault, KeePass/Bitwarden in business plan) with auditing enabled; discover processes with osquery (select name, pid, uid, cmdline from processes) and export to your CMDB; standardize process/service naming conventions like svc-db-readonly or svc-billing-api and map them to their host and container image digest (sha256) so you can tie events to immutable artifacts. For SSH keys, enforce a key lifecycle policy (rotate every 90 days) and use centralized authorized_keys management via configuration management (Ansible) or SSH certificate authorities; for Windows service accounts, avoid running services as LocalSystem β create managed service accounts with least privilege.
Small business scenarios and real-world examples
Example 1: A 25-person engineering firm with one Windows server and 30 laptops. Quick wins: enable Azure AD Join for laptops, deploy Intune for basic MDM, create a spreadsheet-driven CMDB that maps user UPNs to device serial numbers, and configure Windows Event Forwarding to a low-cost Elastic stack. Example 2: A small SaaS shop using Linux hosts and containers. Use osquery on hosts, collect container image digests, label Kubernetes ServiceAccounts with team ownership, and enforce node authentication with certificates; store service account secrets in Vault and require pull secrets tied to image registries. Example 3: A hybrid office with printers, VoIP phones and IoT sensors. Include non-workstation devices in the inventory (model, firmware, management IP), segment them on a separate VLAN, and require NAC or firewall rules so unidentified devices cannot reach CUI systems. These are practical steps you can implement within weeks and scale as your Compliance Framework program matures.
Compliance tips, best practices, and operational controls
Best practices to make identification sustainable: document naming conventions and onboarding/offboarding playbooks in your Compliance Framework documentation; automate discovery with scheduled scripts or agents and reconcile differences weekly; enforce multifactor authentication for all interactive user access and require device compliance (disk encryption + EDR) for device access to CUI; run periodic audits (quarterly) to ensure that service accounts are still needed and that stale devices are removed; implement role-based access controls so that identity mapping directly supports entitlement reviews. Keep a simple SLA for account disablement (e.g., 24 hours for termination, 72 hours for role changes) and log every change to the identity registry with who, when, and why.
Risk of not implementing IA.L1-B.1.V
Failure to uniquely identify and authenticate users, processes, and devices creates immediate and measurable risks: unauthorized access, inability to investigate incidents (no forensic trail), increased lateral movement risk from compromised unattended devices or generic accounts, and likely nonβcompliance in audits leading to contract loss or remedial action under FAR 52.204-21 and CMMC. For a small business this can mean losing government contracts, having to undertake expensive remediation, or suffering reputational and financial damage from a breach that could have been prevented with basic identity and inventory controls.
In summary, focus on establishing an authoritative identity registry, instrumenting automated discovery for devices and processes, enforcing unique identities and authentication, and operationalizing lifecycle and logging controls. Start small with manual records and inexpensive tooling, assign clear owners for each checklist item, and iterate toward automation β these steps will satisfy IA.L1-B.1.V requirements while materially reducing your exposure and improving your Compliance Framework posture.
