Maintaining an accurate, actionable inventory of users, agent processes, and devices is one of the most practical controls small businesses can implement to satisfy FAR 52.204-21 and CMMC 2.0 Level 1 (IA.L1-B.1.V); this post shows how to build that inventory with specific tools, fields, processes, and examples you can adopt immediately.
What IA.L1-B.1.V and FAR 52.204-21 expect
At a high level, IA.L1-B.1.V requires you to know which user accounts, automated agents (service accounts, endpoint agents), and devices have access to contractor information systems so you can apply appropriate access controls and basic safeguarding. FAR 52.204-21 requires basic safeguarding on contractor information systems that process, store, or transmit Federal Contract Information (FCI). For Compliance Framework practice alignment, your inventory is the authoritative source of truth used to scope controls, document attestations, and support audits.
Practical implementation steps
1) Automated discovery + manual validation
Start with automated discovery to reduce effort: query Active Directory (Get-ADUser / Get-ADComputer), Azure AD reports, MDM platforms (Intune, Jamf), and DHCP/Wi‑Fi logs to capture endpoints. Use endpoint telemetry (osquery, Wazuh, CrowdStrike) to enumerate installed agents and running processes. Complement discovery with a short manual sweep for BYOD hotspots (guest Wi‑Fi, unmanaged printers, IoT) and a simple user survey asking employees to declare personal devices used for work. Run discovery on a schedule (daily for DHCP/agent heartbeats; weekly for AD/MDM reconciliations) and export machine-readables for ingestion into a CMDB or spreadsheet.
2) Design the inventory schema (what to capture)
Your inventory must capture attributes that matter for access and risk. Minimum fields: unique asset ID, owner (employee name and userID), device type (laptop/phone/server/IoT), OS and version, MAC address, last-seen timestamp, IP address, installed security agents (antivirus, MDM, EDR), privilege level (local admin? service account?), associated user accounts, whether the device stores or accesses FCI, and location (on‑prem/cloud). For users include username, display name, role/title, privileged flag, MFA enabled, last login. For agent processes, record the agent name, version, purpose, user context (system/service), and whether it requires network access to FCI systems.
3) Control agent processes and service accounts
Inventorying agents is not the same as approving them—create policy to control which agents are allowed. Use EDR/MDM to report running processes and automate alerting for unknown executables. Map service accounts to specific business needs and require justification and owner fields in the inventory. Where possible, replace long-lived service account credentials with managed identities or short-lived tokens. For example, a small business using Azure can replace a static service account with a Managed Identity assigned to the VM and record the identity in the inventory.
4) Integrate inventory into operations
Make the inventory the source-of-truth for onboarding/offboarding and change control: new hires trigger device assignment and inventory entries; departures trigger device reclamation and account disablement. Integrate discovery with ticketing (create an automatic ticket when an unmanaged device with FCI access is detected), conditional access (block devices not enrolled in MDM), and SIEM (ingest "last seen" and agent status into Splunk/Elastic). Keep an audit trail: export CSV snapshots of the inventory quarterly and retain discovery logs for evidence during assessments.
Real-world small-business scenario
Example: Acme Defense Logistics, 40 employees, handling FCI on laptops and a cloud file share. Implementation: deploy Microsoft Intune for device management, enable Azure AD Join, run periodic "Get-ADComputer | Select Name, LastLogonDate" and Intune inventory exports to populate the CMDB. Use osquery on Linux systems and ManageEngine/OCS Inventory on older Windows workstations to capture installed agents and running processes. Create a "device classification" field—mark deskside lab machines as "non‑CUI", corporate laptops as "CUI"—and apply conditional access requiring Intune compliance for any device accessing the file share. Result: auditors see a single report showing all CUI-classified devices, owners, last-seen timestamps, and installed security agents.
Compliance tips and best practices
Keep the scope tight: only include systems that process or access FCI in your CUI scope to avoid unnecessary controls. Automate as much as possible—scripts, scheduled exports, and integrations reduce drift. Use asset tags and QR codes for physical devices and document them in your inventory. Require MFA for privileged users and include MFA status in the user inventory. Maintain a short list of "allowed agents" and require change-control approval to add new agents. For small shops without a CMDB, a well-structured Google Sheet or Excel workbook generated from automated exports is acceptable if you keep change logs and backups.
Risks of not implementing a practical inventory
Without an accurate inventory you risk unauthorized access (unmanaged devices bypassing controls), uncontrolled service accounts with exposed credentials, inability to demonstrate safeguarding to auditors, and ultimately contract loss or financial penalties. Operationally, missing devices create blind spots that increase incident response time: you won't know which endpoints to isolate, which users to notify, or which processes to investigate. Non-compliance can also block new awards if you cannot demonstrate basic FAR and CMMC safeguards.
Summary: build a focused, searchable inventory that includes users, agent processes, and devices; automate discovery with AD/MDM/EDR/NAC, capture specific attributes required for access decisions, integrate inventory into onboarding/offboarding and conditional access, and retain evidence for audits—doing so converts an abstract compliance requirement into operational security that protects your people, contracts, and reputation.
