This 30-day checklist walks small businesses through practical, prioritized steps to satisfy FAR 52.204-21 and CMMC 2.0 Level 1 control IA.L1-B.1.V — identify users, service accounts, and devices before granting access — with focused discovery, classification, remediation, and evidence collection you can implement with existing tools and minimal budget.
Week 1 — Discovery and Baseline Inventory (Days 1–7)
Start by discovering everything that looks like a user, service account, or device. For many small businesses that means pulling lists from Active Directory/Azure AD, endpoint management (Intune, Jamf), cloud IAM (AWS/GCP/Azure), and any legacy local accounts. Practical steps: run Get-ADUser/Get-ADComputer queries or Azure CLI/AWS CLI commands, export locals from Linux servers, and extract device lists from your Wi‑Fi controller or NAC. Example PowerShell commands:
Get-ADUser -Filter * -Properties Enabled,LastLogonDate | Export-Csv users.csv
Get-ADComputer -Filter * -Properties OperatingSystem | Export-Csv devices.csvawk -F: '($3>=1000)&&($3!=65534){print $1}' /etc/passwdWeek 2 — Classification, Naming Conventions, and Quick Remediation (Days 8–14)
Use the inventory to classify each identity: human user, service account (backup, monitoring, automation), or device (workstation, server, IoT). For small organizations a simple spreadsheet or a free CMDB (Snipe‑IT, GLPI) works. Apply a standard naming convention (e.g., svc_backup_*, svc_monitor_*, dev_laptop_*) and mark noncompliant items for immediate action. Real-world example: a 25-person DoD subcontractor found five generic "backup" accounts—two were legacy and unused, one had a password that never changed; they disabled unused accounts, consolidated two into one managed service account, and documented the remaining account's purpose and rotation process.
Technical Implementation Examples and Automation Tips
Automate inventory and flagging where possible. Use scheduled PowerShell/CLI jobs or a basic script to export users/devices weekly. Cloud examples:
az ad user list --query '[].{name:displayName,mail:userPrincipalName}' > azure_users.json
aws iam list-users --output json > aws_users.jsonWeek 3 — Apply Controls, Harden, and Remove Excess Privilege (Days 15–21)
After classification, enforce minimum controls: disable interactive login for service accounts, enable MFA for all human users (at least for remote access), set password rules compliant with FAR/CMMC expectations, and rotate service account credentials. Use tools: Group Policy for Windows password policy, Azure AD Conditional Access to require MFA, and PAM/credential vaults for privileged accounts. Implement device controls: enroll existing laptops in MDM (Intune/Workspace ONE), enforce disk encryption, and whitelist known MAC addresses on your NAC. Small business example: the same subcontractor used Intune to push disk‑encryption and check compliance, then blocked non‑enrolled devices from Wi‑Fi access within a week.
Week 4 — Documentation, Evidence Collection, and Stakeholder Training (Days 22–30)
Gather the artifacts auditors will expect: inventory exports, policy documents showing naming conventions and lifecycle rules, screenshots of MFA and MDM configurations, and records of disabled or consolidated accounts. Create a simple change log that shows who authorized account creations and deletions. Conduct one short training session for administrators and users on your identity policy and include a runbook for on‑boarding/off‑boarding. A practical deliverable: a one‑page "Identity & Devices" control sheet mapping each account/device to owner, purpose, classification, and last validation date.
Risks, Compliance Tips, and Best Practices
Not identifying accounts and devices increases the risk of unauthorized access, lateral movement, data exfiltration, failed audits, lost contracts, and potential debarment. Best practices: prefer managed identities over long‑lived keys, reduce the number of privileged accounts, enforce least privilege, log account creation and use (enable audit logging), and enforce device enrollment before granting network access. Compliance tips: if you lack a full IAM/PAM solution, use a secrets manager, implement periodic (quarterly) reviews, and document compensating controls. For evidence, keep exports timestamped and backed up so you can demonstrate the state at assessment time.
Summary: follow this 30‑day plan—discover (days 1–7), classify and clean up (days 8–14), enforce technical controls (days 15–21), and document and train (days 22–30)—to meet FAR 52.204-21 and CMMC 2.0 Level 1 IA.L1-B.1.V requirements for identifying users, service accounts, and devices; use the provided commands, small‑business examples, and best practices to make fast, defensible progress and produce the evidence auditors expect.
