This post provides a practical, actionable checklist to help small businesses meet FAR 52.204-21 and CMMC 2.0 Level 1 control IA.L1-B.1.V by reliably identifying users, detecting processes acting on behalf of users (including service accounts and automated agents), and inventorying devices that access or process controlled information.
What the control requires — plain language
The requirement focuses on having a reliable understanding of "who" (human users), "what" (processes operating on behalf of users such as service accounts, scheduled jobs, or automation), and "which device" (endpoints, servers, mobile devices) are present and active in your environment. For Compliance Framework purposes this means you must have documented identification, an inventory mapping, and observable evidence (logs or system records) that link account identifiers to processes and to device identifiers.
Scope and applicability for small businesses
Small organizations that do business with government agencies or handle Controlled Unclassified Information (CUI) must implement lightweight, repeatable controls. This typically covers: corporate laptops/desktops, servers (on-prem or cloud VMs), mobile devices enrolled in MDM, cloud identities (Azure AD, Google Workspace), service accounts used by apps or CI/CD pipelines, and automation (cron jobs, containerized services). The goal is not enterprise-scale tooling but consistent, auditable mapping between users, processes, and devices.
Practical implementation checklist (step-by-step)
Use this checklist as an implementation plan. Each item includes suggested evidence artifacts for audits and practical commands or tools small businesses can use immediately.
- Create and document an identity inventory. Export your directory (Azure AD, Okta, Google Workspace) users and service accounts into a CSV with columns: username, account type (user/service), owner, date created, last login. Evidence: CSV snapshot, admin console export.
- Inventory devices and ensure unique device identifiers. Use MDM (Intune, Jamf, Google endpoint management) or NAC to collect hostname, serial, device certificate thumbprint, OS, MAC, last-seen timestamp. Evidence: device list from MDM, screenshots, enrollment logs.
- Map processes to accounts. Enable host-level auditing: on Windows enable Sysmon (process create events) and forward EventIDs 1, 4624, 4648; on Linux enable auditd (audit rules for execve) and capture /var/log/auth.log. Evidence: sample event showing process start with user context.
- Identify non-interactive/service credentials and tokens. Search for service accounts, API keys, SSH keys, and stored credentials in CI/CD or on servers. Evidence: tagged service account list, secrets manager entries, IAM policy attachments.
- Record transient/ephemeral identities. For containers, serverless or short-lived VMs, log image/container IDs, orchestrator user mappings (Kubernetes service account name), and cluster node identifiers. Evidence: container runtime logs, kubectl get pods -o wide output.
- Centralize logs and correlate. Ship identity and host logs to a central SIEM or log store (Splunk, ELK, Azure Sentinel, or a hosted log service). Build correlation rules that join user identity with process creation and device ID. Evidence: SIEM query results that show the three-way correlation.
- Tag and enforce naming conventions. Use a consistent naming schema for service accounts (svc-
- ), devices (LT- - ), and processes where possible. Evidence: naming convention document and examples in inventories.</li> - Schedule regular reconciliation and reviews. Monthly or quarterly reviews to remove orphaned accounts, decommission devices, and verify mappings. Evidence: review minutes, ticket records for remediations. </ul>
Real-world small-business scenario
Example: A 40-person contractor uses Microsoft 365 with Azure AD and Intune, a small AWS account for dev/test, and GitHub Actions for CI. Implementation steps: export Azure AD users (Get-AzureADUser/Get-MgUser), tag service principals used by CI with a naming convention, onboard all corporate laptops to Intune to capture serial and device ID, enable Azure AD sign-in logs and integrate them with a lightweight SIEM (Azure Sentinel or a third-party). Use Sysmon on Windows endpoints to capture process start events and forward to the SIEM; on Linux hosts enable auditd to capture execve events. Build a Sentinel workbook that links sign-in records (user) to device ID and to process events that originate from that device. Evidence for auditors: user/device CSV export, Intune enrollment list, a sample combined log showing user X -> process Y -> device Z.
Technical implementation notes and example commands
Concrete technical tips: on Windows, install Sysmon and configure to log EventID 1 (process create) and 11/12 for network/file activity; collect Windows Security events 4624 (logon), 4648 (explicit credential use), 4720/4722 (account creation/enable). On Linux, enable auditd rules such as: -a always,exit -F arch=b64 -S execve -k execs and forward /var/log/audit/audit.log. Use tools: PowerShell Get-MgDevice or Get-AzureADDevice to list registered devices; on Linux use last, lastlog, and journalctl -u sshd to find login events. Sample SIEM query (pseudo): index=auth (EventID=4624 OR event=sshd) | join type=left user [index=sysmon EventID=1 | fields process_name, user, host] | stats latest(host) by user, process_name to show current mapping.
Compliance tips, best practices, and evidence collection
Keep these practical tips in mind: enforce unique user accounts (no shared human accounts), minimize and name service accounts clearly, apply MFA for interactive accounts, and require device registration for access to contractor systems. For evidence, save time by exporting inventory snapshots and scheduled log extracts; keep a short runbook that tells an auditor where to find the user list, device list, SIEM query, and sample correlated event. Automate as much as you can — even simple scripts that run monthly to export CSVs count as evidence of a repeatable control.
Risks of not implementing IA.L1-B.1.V
Failing to identify users, processes, and devices creates multiple risks: unauthorized access and lateral movement by attackers, inability to conduct timely incident response or attribute actions, increased exposure of CUI, and likely audit failure which can result in contract loss. Small businesses often suffer most because they lack forensic capability; simple controls like device enrollment and centralized logging materially reduce that risk.
Summary: By implementing the checklist above — inventorying identities and devices, logging and correlating process events, tagging and naming service accounts, and performing regular reconciliations — small businesses can cost-effectively meet FAR 52.204-21 / CMMC 2.0 Level 1 IA.L1-B.1.V. Start with lightweight tooling (MDM + directory exports + host audit agents), document your steps and artifacts, and iterate: the combination of automated discovery plus monthly human review provides both practical security and clear audit evidence.
