Requirement
NIST SP 800-171 REV.2 / CMMC 2.0 Level 2 - Control - IA.L2-3.5.1 – Identify information system users, processes acting on behalf of users, or devices.
Understanding the Requirement
This control requires that every human user account, any automated process running on behalf of a user, and every device that accesses your systems be given a unique, unambiguous identifier so you can reliably authenticate actions and trace events. Under NIST SP 800-171 REV.2 / CMMC 2.0 Level 2, the objective is to ensure system users are identified, processes acting for users are identified, and devices accessing systems are identified — enabling accountability, incident investigation, and accurate logging.
Technical Implementation
- Define and enforce a naming convention for user accounts. Establish a simple, consistent format (for example: first initial + last name, or firstname.lastname) and apply it in your directory service (Active Directory, Azure AD, etc.). Use automated account provisioning tools or scripts to ensure new accounts follow the convention and include attributes that identify role, department, or status where useful.
- Assign unique identifiers to devices and maintain an asset inventory. Tag workstations, servers, laptops, and mobile devices with an asset tag that matches an entry in your inventory (for example: Model_SN or ASSET-000123). Use centralized endpoint management (Intune, Workspace ONE, or an MDM) to ensure device names are enforced and synced with your inventory system.
- Identify and label service accounts and processes. Create distinct accounts for automated processes, scripts, and services rather than running them under generic or shared user accounts. Use a naming pattern that clearly indicates purpose (e.g., svc_backup, svc_payroll), document their owners, and restrict interactive login where not required.
- Implement lifecycle controls for identifiers. Integrate account/device creation, modification, disabling, and deprovisioning into onboarding/offboarding workflow. Ensure HR triggers account creation and termination, and that hardware returns are reconciled with the inventory before device records are retired.
- Enable centralized logging and correlate identifiers to events. Ensure system logs include the unique user, service, or device identifier in all recorded actions. Configure your SIEM or log aggregator to retain identifiers, timestamps, and source device information so security events can be traced back to the responsible user/process/device.
- Audit and reconcile regularly. Run scheduled reviews (quarterly or more often for sensitive systems) to find ambiguous or shared accounts, duplicate device records, or orphaned service accounts. Remove or rename items that violate the naming standards and document remediation actions.
Example in a Small or Medium Business
At a 35-person product design firm, the IT manager implements a naming standard and asset inventory to meet IA.L2-3.5.1. New hires receive an AD account using the convention firstname.lastname and an email that matches the account; the HR system triggers account creation so names are consistent. Laptops are asset-tagged on arrival with a barcode (DESKTOP_12345) and enrolled in the company MDM, which enforces the tag as the device hostname. Automated build and deployment processes run under distinct service accounts like svc_ci and svc_deploy, each documented with an owner and purpose. During quarterly audits, the IT manager finds several shared accounts labeled "devuser" and replaces them with named accounts tied to contractors and employees, revoking unnecessary access. Logging is configured to include user and device identifiers on critical systems, so when a suspicious file transfer is detected, the team can quickly map the event to a specific user and machine. The company updates onboarding/offboarding checklists to ensure accounts and devices are created and retired consistently, and trains staff responsible for account management on the naming rules and audit process.
Summary
Implementing IA.L2-3.5.1 is straightforward for SMBs when you combine clear policy with practical technical controls: define naming conventions and asset tagging, use automated provisioning and endpoint management, separate service/process accounts, and maintain centralized logging and regular audits. These measures make users, processes, and devices uniquely identifiable, which supports reliable authentication, accountability, and faster incident response while keeping administrative overhead manageable for small IT teams.
