Meeting FAR 52.204-21 and CMMC 2.0 Level 1 control IA.L1-B.1.V starts with one fundamental task: reliably identify every user, process, and device that touches your systems and the Federal Contract Information (FCI) you handleâthis post gives a practical 7-step plan for a small business operating under a Compliance Framework to achieve that reliably, defensibly, and in ways that produce audit-ready evidence.
Overview: why identification matters for Compliance Framework
Under the Compliance Framework, IA.L1-B.1.V requires demonstrable knowledge of which actors (users), automated activities (processes/services), and endpoints (devices) exist inside your system boundary so you can apply appropriate protections (authentication, least privilege, logging). Without this mapping you cannot prove to auditors or prime contractors that FCI is confined, access is controlled, or that basic cyber hygiene is enforceableârisking contract loss, fines, and data exposure.
Step 1 â Define the system boundary and control scope
First, document the systems that store, process, or transmit FCI (on-prem servers, cloud tenants, SaaS apps, mobile devices). In practice, draw a simple network/data-flow diagram that includes cloud services (Office365/Azure, Google Workspace, AWS), local file shares, and employee endpoints. For a 20-person contractor, this means identifying the single Office365 tenant, three shared file servers, remote laptops, and any subcontractor connections. Note the Compliance Framework fields for "system name", "owner", "location", and "boundary justification"âthis is your master scope document for evidence.
Step 2 â Create an authoritative asset inventory for devices
Use a combination of automated discovery and manual validation. Tools: Active Directory/LDAP, Intune/JAMF/Mobile Device Management (MDM), endpoint detection (Microsoft Defender for Business, CrowdStrike), and simple network scans (Nmap, Nessus) to detect unmanaged hosts. Capture device attributes: hostname, MAC, IP, OS/version, last-seen timestamp, owner, assigned user, and classification (work/personal). For small businesses with BYOD, tag personal devices and restrict them to guest networks with no FCI access; keep the inventory in a CMDB or a secured spreadsheet with change logs to satisfy auditors.
Step 3 â Enumerate and label user accounts and roles
Export user lists from identity providers (Azure AD, Google Workspace, on-prem AD) and map accounts to role categories (employee, contractor, service account). Enforce unique user IDsâno shared loginsâand record attributes: username, email, role, last-auth, MFA status, and associated devices. Example: for a 12-person dev/ops team, categorize âdev-leadâ, âcontractor-Aâ, and âservice-buildâ accounts and document which accounts can access FCI. This mapping supports least-privilege and provides direct evidence for IA.L1-B.1.V.
Step 4 â Identify and classify automated processes and service accounts
Processes include scheduled jobs, CI/CD runners, backup scripts, SaaS integrations, and containerized services. Discover them by reviewing crontabs, systemd units, CI tool configurations (Jenkins/GitHub Actions), IAM roles in AWS, and service principals in Azure. Log each process with its purpose, owner, credentials used, network endpoints contacted, and the data types handled (FCI vs non-FCI). For example, mark a nightly backup job that writes backups to an encrypted S3 bucket as "authorized process - handles FCI".
Step 5 â Map data flows between users, processes, and devices
Create an asset-to-data flow matrix that shows which users and processes access which devices and where FCI moves (e.g., user laptop -> SaaS app -> cloud storage). Use VPC flow logs, proxy logs, and cloud audit logs to validate mappings; in small businesses without full logging, capture screenshots/configs from SaaS access control panels and export O365 audit logs. This map helps you justify control placement (e.g., MFA on SaaS, encryption-in-transit for backups) and is a key audit artifact under the Compliance Framework.
Step 6 â Implement technical controls to enforce identity and device policies
Once identified, integrate with identity and endpoint controls: enable MFA for all users handling FCI, apply Conditional Access policies (block legacy auth, require compliant device), enroll corporate devices in MDM, enforce disk encryption (BitLocker/FileVault), and restrict service accounts with short-lived credentials or managed identities. Example for small shop: use Azure AD SSO with Conditional Access requiring Intune-compliant device for Office365 access. Keep logs from these controls (MFA events, device compliance reports) to generate compliance artifacts.
Step 7 â Maintain, monitor, and produce evidence for audits
Identification is ongoing. Schedule quarterly reviews: reconcile HR joiners/leavers with identity store, sweep network for unmanaged devices, and re-run process discovery for new services. Automate alerts for orphaned accounts, stale devices, and new high-privilege service accounts. For evidence, export inventories, change logs, and enrollment reports; timestamped logs and a "who/what/when" CSV from your CMDB or asset system are typically accepted in Compliance Framework assessments. Failing to maintain this will lead to driftâunchecked devices and accounts become attack vectors and will fail an auditor's sampling.
Practical tips, real-world examples, and risks
Tips: start smallâget a working device inventory and identity export in Week 1, then add process mapping in Week 2; use low-cost tools (Intune for device management, free Nessus home for scans) for discovery; and keep an evidence folder with exports dated for each checkpoint. Real-world scenario: a subcontractor lost a laptop with FCI because it was not encrypted and not tracked in the CMDBâafter adopting the 7 steps they enrolled endpoints in MDM, required BitLocker, and prevented subsequent loss. Risk of non-implementation includes data exfiltration, inability to demonstrate compliance during audits, termination of contracts, and civil penalties for mishandling FCI.
Summary: by following these 7 stepsâdefine scope, inventory devices, enumerate users, identify processes, map data flows, enforce controls, and maintain continuous monitoringâsmall businesses can satisfy IA.L1-B.1.V for FAR 52.204-21 and CMMC 2.0 Level 1 within a Compliance Framework. Document each step, retain timestamped exports, and build routine checks into operations so your identification remains accurate and audit-ready.
