This checklist translates the FAR 52.204-21 and CMMC 2.0 Level 1 IA.L1-B.1.V control—identify information system users, processes acting for users, and devices—into an actionable, auditable sequence for small to mid-size contractors working under the Compliance Framework.
Why this control matters
At its core, IA.L1-B.1.V requires organizations to know who and what is operating on their information systems: real user identities, automated processes acting on behalf of users (service accounts, scheduled jobs, APIs), and the endpoint or device presenting credentials. For contractors handling Federal Contract Information (FCI) or Controlled Unclassified Information (CUI), this visibility is foundational to access control, incident detection, least privilege, and fulfilling audit and attestation obligations under FAR and CMMC.
Step-by-step checklist
Step 1 — Build an authoritative identity and device inventory
Start with a single source of truth (Compliance Framework CMDB or lightweight spreadsheet/CSV if small) that lists: user accounts (active/inactive), account type (human, service, privileged), device hostname, MAC and IP addresses, OS, owner, location, and credential type (password, certificate, SSO). Use automated discovery tools—Microsoft Azure AD Connect, Get-ADUser (PowerShell), 'dsquery' on AD, or cloud directory exports—to populate this inventory. Example: for Active Directory, run 'Get-ADUser -Filter * -Properties Enabled,LastLogonDate' to find stale accounts for cleanup.
Step 2 — Discover processes acting for users and map service accounts
Identify non-human identities by inventorying scheduled tasks, service accounts, API clients, CI/CD runners, and automation tools. Use endpoint queries like 'ps -ef' or Windows 'Get-Service' combined with log sources (Sysmon, Windows Event Logs ID 4688/4697) to show which processes run under which accounts. Document each service account with its purpose, owner, and allowed actions. For cloud APIs, export service principals or IAM roles and map them to resources they access.
Step 3 — Inventory and verify devices that access systems
Enumerate endpoints via DHCP logs, MDM/endpoint management (Intune, Jamf, ManageEngine), network access control (NAC) systems, or discovery tools (Lansweeper, osquery). For each device, capture device ID, OS version, last patch date, device compliance state (MDM-managed, encryption enabled), and associated user(s). Enforce device registration for access—require device certificates or MDM compliance checks before granting access to FCI systems.
Step 4 — Implement logging and mapping to link users, processes, and devices
Enable and centralize logs that include user account, process name, PID, and source device info. Key sources: AD authentication logs, VPN/NAC logs, endpoint telemetry (Sysmon/OSQuery), cloud provider audit logs, and application audit trails. Push logs to a central SIEM or log collector (Splunk, Elastic, Microsoft Sentinel, or a managed service). Configure correlation rules to map an authentication event to a specific user account, the process or client used, and the originating device IP/MAC, enabling forensic reconstruction.
Step 5 — Apply control mechanisms and periodic validation
Use technical controls: unique user IDs (no shared accounts), MFA for interactive access, role-based or attribute-based access controls, and least-privilege service accounts. Schedule quarterly reviews to validate the inventory and remove stale accounts/devices; run automated checks monthly to flag anomalies (multiple simultaneous logins from different geographies, workstations not enrolled in MDM). Maintain attestation records showing who reviewed the inventory and when—use ticketing/approval workflows to document changes.
Practical implementation details & small-business scenarios
Small business example: a 25-person firm running Windows AD synced to Azure AD with Office 365 and a handful of AWS resources. Practical steps: enable Azure AD Conditional Access to require compliant devices and MFA; deploy Intune to enroll devices and collect device IDs; use Azure AD sign-in logs and Intune inventory to map a user to a device; export AWS IAM role usage and tag roles with owners. Tools: Intune/Jamf for device management, osquery/System Center for process inventory, and a low-cost log collector (Elastic or cloud SIEM) for consolidation. For command-level checks, use PowerShell 'Get-EventLog -LogName Security -InstanceId 4624' to find interactive logons and associate them with device names.
Compliance tips, best practices, and risks of not implementing
Best practices: enforce unique accounts and avoid shared credentials; define naming conventions for devices and service accounts; automate discovery and onboarding (scripted exports to the CMDB); set retention policies for logs consistent with contract requirements (90 days or per regulatory guidance); and document policies that describe how accounts and devices are provisioned, reviewed, and decommissioned. Risks of not implementing IA.L1-B.1.V include undetected unauthorized access, inability to investigate incidents, excessive privilege creep, contract penalties or termination, and failing FAR/CMMC audits. Real incident scenario: a dormant service account running nightly backup scripts was co-opted to exfiltrate files—no mapping meant delayed detection and more severe contractual fallout.
Summary
Meeting FAR 52.204-21 / CMMC 2.0 IA.L1-B.1.V is practical and achievable: establish an authoritative inventory of users, service/process identities, and devices; automate discovery and logging; enforce device registration and unique user identities; and perform regular reviews with documented attestations. For small contractors, focus on low-cost automation (directory exports, MDM, basic SIEM) and clear policies—this combination provides demonstrable compliance evidence and materially reduces operational and contractual risk.
