If your organization must meet FAR 52.204-21 and CMMC 2.0 Level 1 IA.L1-B.1.V, you need a repeatable checklist that identifies every system user, every process acting on behalf of a user, and every device that connects to your environment — this post lays out a practical, technical, and audit-ready step-by-step checklist geared toward small businesses and compliance teams.
Why identification matters and the risk of not implementing it
Under the Compliance Framework requirements (FAR 52.204-21 / CMMC IA.L1-B.1.V) you are expected to know which identities and devices interact with Controlled Unclassified Information (CUI) and systems that process government data; failing to identify users, processes, and devices increases the risk of unauthorized access, lateral movement, undetected service accounts, and ultimately contract loss or penalties. Lack of accurate inventories impedes incident response, weakens least-privilege enforcement, and creates audit gaps where an assessor can list nonconformities against your contract requirements.
Step-by-step checklist (high level)
Step 1 — Define scope and system boundaries
Start by documenting which systems, networks, cloud tenancies, applications, and data stores are in-scope for FAR/CMMC compliance (e.g., all desktops, servers, cloud-hosted apps that process contractor-controlled info). For a small business this might be: Windows domain + 5 servers, Office365 tenant, Azure subscription, 30 managed endpoints, and one on-prem file server. Record network ranges, cloud subscription IDs, and system owner contacts — these are required evidence items for auditors.
Step 2 — Inventory and classify user identities
Create or extract a canonical user identity list from authoritative stores: Active Directory (Get-ADUser -Filter *), Azure AD (Get-AzureADUser), or your IdP. Include attributes: username, real name, role, group memberships, account type (human vs service), last logon, and account owner. For local accounts on Windows servers use PowerShell: Get-LocalUser; on Linux, review /etc/passwd and SSSD/LDAP records. Tag or flag shared accounts and make a plan to eliminate them; auditors expect to see unique, attributable accounts for users accessing CUI.
Step 3 — Discover processes acting for users and service accounts
Identify processes and services that run on behalf of users or service accounts — scheduled tasks, system services, daemons, containerized workloads, and serverless functions. On Windows enumerate services and their logon accounts: Get-CimInstance Win32_Service | select Name,StartName; list scheduled tasks with schtasks /query /fo LIST /v. On Linux use ps -eo user,pid,cmd and systemctl list-units --type=service. For container platforms, run docker ps --format ' ' and check Kubernetes deployments for serviceAccountName fields. Capture the relationship (process → account → host) in a spreadsheet or CMDB entry.
Step 4 — Inventory devices and endpoints
Compile an authoritative device list: hostnames, MAC addresses, IP addresses, OS, serial numbers, management agent status, last check-in, and assigned owner. Use MDM/endpoint management (Intune, Jamf, SCCM) exports when available, or run network discovery (nmap -sn 10.0.0.0/24) and ARP scans (arp -a) to catch unmanaged devices. For small businesses with BYOD, document devices that access email or cloud resources and ensure conditional access (MFA + device compliance) is enabled for access to CUI.
Step 5 — Map users, processes, and devices and validate with logs
Build a mapping artifact that ties together users, processes acting for them, and the devices those processes run on or communicate with. Use authentication logs, process execution logs, and EDR/endpoint logs to validate mappings: Windows Security event logs (4624 for logons), Sysmon process creation events, and Linux auditd records. Example: map "jsmith@acme" → scheduled task "backup-run" (schtasks output shows run-as account) → server "filesrv01" (device inventory + sysmon process event). Keep evidence screenshots or exported CSVs for each mapping to satisfy audit checkpoints.
Implementation details, automation, and small-business scenarios
For a small contractor with limited staff, automation is essential: schedule weekly exports from Azure AD/Intune and daily EDR agent reports. Use scripts to pull process-owner relationships: PowerShell example to get process owners: Get-CimInstance Win32_Process | Select-Object ProcessId,Name,@{Name='Owner';Expression={$_.GetOwner().User}}. On Linux: ps -eo uid,user,pid,cmd and lsof -i to see network-connected processes. Leverage a simple CMDB (Google Sheet, CSV-backed tool, or a free asset manager) to store mappings and set a recurring review task with owners assigned. Tie these inventories to access control tickets (join/leave/change) so identity lifecycle evidence is demonstrable.
Compliance tips, best practices, and artifacts for audit
Best practices: enforce unique accounts (no shared logins), require MFA, rotate and centrally store service account credentials (vault), and implement least privilege. Retain evidence for each checklist item: exported user lists with timestamps, service-account inventories, scheduled-task/service configuration dumps, device inventory exports, and correlated log extracts showing process execution and account identity. For artifacts, auditors accept CSV exports, screenshots of console pages showing device lists, scheduled task output, and SIEM queries that return mapped relationships. Maintain a versioned checklist that shows who performed the inventory and when.
Summary
Meeting FAR 52.204-21 and CMMC IA.L1-B.1.V starts with a disciplined, repeatable checklist: define scope, inventory users, discover processes acting for users, inventory devices, map and validate with logs, and automate ongoing discovery. For small businesses, use built-in tooling (AD/Azure AD, Intune, Sysmon, auditd) plus a lightweight CMDB to record mappings and evidence. The operational result is stronger access control, faster incident response, and an audit-ready posture that demonstrates you can identify who and what is interacting with your systems and CUI.
