This post provides a practical, actionable checklist to implement user, process, and device identification—mapped to the Compliance Framework for FAR 52.204-21 and CMMC 2.0 Level 1 Control IA.L1-B.1.V—so a small business can meet requirements, reduce risk, and prepare for an assessment or audit.
Scope and objectives (Compliance Framework / Practice)
The objective under the Compliance Framework is to ensure that every actor interacting with contractor systems—human users, system processes (services, daemons, containers), and endpoint devices—can be uniquely identified and tied to authentication and accounting records. Practically this means: (a) assign unique IDs, (b) enforce authentication and device attestation for access, (c) record identity-related events for auditing, and (d) manage identity lifecycle (provisioning/deprovisioning). For small businesses this is a light-weight but disciplined set of controls that supports FAR 52.204-21 basic safeguarding and the CMMC Level 1 IA requirement.
Step-by-step implementation checklist
Use the following ordered checklist as your implementation plan. Each step includes concrete actions and technical examples you can adapt to your environment.
Step 1 — Inventory and classification
Action: Build an authoritative inventory of users, processes, and devices. Tools: Active Directory / Azure AD / LDAP / JumpCloud for users; endpoint management (Intune, Jamf, InTune alternatives) for devices; process inventories from configuration management. Example commands: on Windows AD run Get-ADUser -Filter * -Properties Enabled,LastLogonDate | Export-Csv users.csv; on Linux use awk -F: '{print $1}' /etc/passwd and collect running services via systemctl list-units --type=service. Store inventory in a CSV or CMDB and tag entries with owner, location, business justification, and whether they touch Controlled Unclassified Information (CUI).
Step 2 — Define identity naming and account types
Action: Standardize naming and differentiate account types. Create conventions: users (u.lastname), service/service-account (svc-appname), admin accounts (adm-teamrole). Document rules in an identity policy (Compliance Framework Practice). Avoid shared human accounts. For short-lived automation, use scoped service accounts or machine identities with descriptive tags and expiration timestamps enforced by your provisioning tooling (e.g., Terraform, Ansible, or cloud IAM roles).
Step 3 — Centralize authentication and enable device attestation
Action: Centralize authentication to reduce gaps. For small businesses: use Azure AD (cloud-first) or an on-prem AD tied to LDAP/SSO. Enroll endpoints in an MDM (Intune, Jamf, or a lightweight MDM) and issue machine certificates using SCEP/PKI or use cloud device attestation (Azure AD Conditional Access + device compliance). Example: Azure AD Join + Intune enrollment with Conditional Access policy requiring device compliance and MFA for access to contract systems. On Linux servers, use SSSD + LDAP + machine-cert authentication (SSH with certificate authority) rather than key-sharing across users.
Step 4 — Identify and protect processes and service identities
Action: Treat processes as first-class identities. Use dedicated service accounts for daemons and containers; sign container images and map image names to runtime processes. Technical measures: enable Sysmon on Windows to log process creation (include parent process and command line); on Linux configure auditd with a rule like -a exit,always -F arch=b64 -S execve -k process_exec to capture exec calls. For containers, require image signing (notary/cosign) and use platform RBAC to limit which services can run which images.
Step 5 — Logging, monitoring, and retention
Action: Collect identity-related events centrally. Windows: enable "Audit Process Creation" and forward to a central collector (Sysmon + Windows Event Forwarding). Linux: forward auditd logs to a central syslog/SIEM (rsyslog -> ELK/Splunk/Datadog). Ensure logs include user ID, process ID, device hostname, timestamp, and action. Retention guidance: retain authentication and process logs for a minimum 90 days (longer if contract requires) and protect logs with access controls and integrity checks (WORM storage or write-once buckets).
Step 6 — Lifecycle, access reviews, and automation
Action: Implement onboarding/offboarding workflows tied to HR and change management. Automate provisioning/deprovisioning via scripts, SCIM, or IAM APIs. Schedule quarterly access reviews where owners verify user/device/process entries in the inventory. Automate disabled-account checks: run a script that finds accounts without recent logins and flags them for review; example PowerShell snippet Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00. Maintain a list of approved service accounts and require approval for new ones.
Real-world small business scenarios
Scenario A — 20-person software shop: Use Azure AD as the identity provider, enforce device enrollment in Intune, require Windows Hello + TPM-backed credentials, and use Conditional Access to block non-compliant devices. Log process creation with Sysmon on developer workstations and send to a cloud SIEM. Service accounts are scoped to CI/CD runners and rotated via the secrets manager (HashiCorp Vault or Azure Key Vault).
Scenario B — Small manufacturer with OT/IT split: Maintain separate inventories and a network segmentation plan. Identify industrial controllers by MAC and certificate-based device identity where possible; use network access control (NAC) to restrict unknown devices to a quarantine VLAN. For OT processes that cannot run modern agents, use proxying and flow-based monitoring to infer process identity and restrict access to OT data to specified user accounts documented in the CMDB.
Compliance tips, best practices, and risks of not implementing
Tips: document everything in a concise implementation plan mapped to the Compliance Framework and the specific FAR/CMMC control (IA.L1-B.1.V). Use least privilege and RBAC, enforce MFA for privileged interactions, avoid shared accounts, and maintain a single source of truth for identity and asset state. Best practices include signing images, using machine certificates for device identity, and automating deprovisioning. Risks of not implementing: unauthorized access, undetected lateral movement, failed contract audits, loss of contract eligibility, data exfiltration, and regulatory penalties. Simple mistakes—like shared accounts or unmanaged devices with access to contract data—are common findings during audits and are easily avoidable with these controls.
In summary, meeting IA.L1-B.1.V under the Compliance Framework is achievable for small businesses by following a prioritized checklist: inventory, standardized naming, centralized auth and device attestation, process identity controls, centralized logging, and lifecycle automation. Start small (inventory + MDM + centralized auth) and iterate toward fuller automation and monitoring so you can demonstrate controls, reduce risk, and pass a FAR/CMMC assessment.
