This post walks through a practical, step‑by‑step approach to identifying and mapping every user identity, service account, and device that interacts with Controlled Unclassified Information (CUI) so you can meet NIST SP 800‑171 Rev.2 / CMMC 2.0 Level 2 control IA.L2-3.5.1 — "Identify system users, processes acting on behalf of users, or devices." It focuses on small business realities (limited staff, mixed cloud and on‑premises environments) and delivers concrete commands, inventory fields, and processes you can implement immediately.
Step 1 — Define scope and objectives
Begin by defining what systems and data are in scope: all repositories, processing systems, and networks that store, transmit, or access CUI. For a small business this often includes: corporate domain controllers (AD/Azure AD), file shares (on‑prem and cloud like SharePoint/OneDrive/Google Drive), SaaS apps that hold project data, development servers, and any contractor infrastructure. Objective: produce a single authoritative inventory that shows every human user, machine/service account, and endpoint mapped to the systems and CUI they can access.
Step 2 — Identify data sources and collection methods
Pull identity and device data from authoritative sources. Typical sources and example collection commands/tools:
Identity sources
- Active Directory (on‑prem): use PowerShell (Get‑ADUser, Get‑ADServiceAccount, Get‑ADComputer). Example:
Get-ADUser -Filter * -Properties DisplayName, Enabled, LastLogonDate | Select SamAccountName,DisplayName,Enabled,LastLogonDate- Azure AD / Entra: use Microsoft Graph or Azure CLI:
az ad user list --query '[].{id:objectId,mail:userPrincipalName}'- Cloud IAM (AWS/GCP): AWS CLI for IAM users/roles:
aws iam list-users; aws iam list-rolesDevice sources
- MDM / UEM (Intune, Jamf): export managed device lists from the console (includes OS, last check‑in, compliance state).
- Endpoint Management (SCCM/Remedy): query the CMDB or SCCM list of discovered devices.
- Network sources: DHCP logs, NAC / RADIUS authentication logs, and switch MAC tables for unmanaged devices.
Step 3 — Classify and tag identities & devices
Create a minimal, consistent taxonomy you will record in your inventory. Suggested fields: unique ID, account type (human/service/system), owner (person or team), privileged? (Y/N), associated system(s), access to CUI? (Y/N), last authentication time, device asset tag/serial, managed by (MDM/NAC), location, control evidence (query outputs/screenshots), and remediation notes. For service accounts, also record purpose, credential storage (vaulted/unvaulted), and secret rotation status.
Step 4 — Discover service accounts and processes acting on behalf of identities
Service accounts are often the blind spot auditors look for. Search for accounts with non‑interactive flags, SPNs, scheduled tasks, Kubernetes service accounts, and cloud service principals. Examples:
- Windows scheduled tasks and IIS app pool identities
- SQL Server service accounts and linked login mappings
- Kubernetes:
kubectl get serviceaccounts --all-namespaces -o yaml- AWS: IAM roles attached to EC2 or Lambda (use tagging filters to identify roles that access S3 buckets containing CUI).
Step 5 — Reconcile and consolidate into an authoritative inventory
Automate reconciliation to remove duplicates and stale accounts. Use unique keys (email, UPN, device serial). For a small org, a CSV or a lightweight CMDB (e.g., Ralph, Snipe‑IT) may be sufficient. Example CSV row format:
id,type,owner,privileged,cui_access,last_auth,managed,location,notes
svc_backup,service,IT,Yes,Yes,2026-03-02,vaulted,datacenter,"Rotated monthly via HashiCorp Vault"
jane.doe,user,Engineering,No,Yes,2026-03-31,intune,NYC,"MFA enabled"
workstation-045,device,Jane Doe,No,Yes,2026-03-30,Intune,NYC,"Reimaged 2026-01-10"Keep an audit trail: store the raw query outputs (JSON/CSV) and the reconciled inventory snapshot as evidence for compliance reviewers.
Step 6 — Implement controls and automation
Once mapped, apply controls: enforce unique identities (no shared human accounts), put service account credentials into a secrets manager (HashiCorp Vault, Azure Key Vault), enable MFA for all human logins, and onboard endpoints to MDM with baseline configurations. Integrate your inventory with NAC or conditional access so unmanaged or noncompliant devices are quarantined. Automate periodic discovery with scheduled scripts or SIEM ingestion to detect new accounts/devices and flag anomalies.
Risk of not implementing IA.L2-3.5.1
Failure to properly identify and map users, service accounts, and devices introduces significant risk: undetected privileged or orphaned accounts can enable lateral movement and data exfiltration, unmanaged endpoints can serve as initial access vectors, and missing evidence will almost certainly lead to a finding during an audit or loss of DoD contracting eligibility. Practically, small businesses with poor inventories are frequently targeted through stale service credentials or unmanaged contractor devices.
Compliance tips and best practices
Practical tips: enforce least privilege and role‑based access, require unique UIDs for all human users, vault and rotate service credentials automatically, use device posture checks for CUI access, and schedule quarterly reviews of the inventory with application and process owners. Keep evidence: snapshots of queries, ticket references for remediation, and screenshots of MDM/NAC policies. If your IT is outsourced, require the provider to deliver these inventories and include SLA clauses for inventory refresh cadence.
Summary: By scoping CUI systems, collecting authoritative identity and device data, classifying and reconciling accounts, vaulting service credentials, and automating ongoing discovery and enforcement, a small business can satisfy IA.L2-3.5.1 and substantially reduce risk. Start with a prioritized list (systems that handle CUI), produce an initial authoritative inventory within 30 days, and iterate to full automation and policy enforcement thereafter.
