Quarterly Access Reviews That Work: Verifying Authorized Users and Devices for AC.L1-B.1.I (CMMC Level 1)

Quarterly access reviews are the simplest, most effective way to meet AC.L1-B.1.I at CMMC Level 1: verify that only authorized users and authorized devices have access to your systems. In practice, this means you keep a current list of who and what is allowed, and you prove—once a quarter—that ex-employees, stale service accounts, personal laptops, and unknown endpoints are not lingering with access. Below is a small-business-ready approach that you can run in under half a day each quarter and that produces clear, auditor-ready evidence.

What AC.L1-B.1.I Really Expects

AC.L1-B.1.I aligns with the CMMC Level 1 intent of AC.L1-3.1.1: limit system access to authorized users and devices. For a small business, the bar is practical: maintain authoritative rosters of users and devices, review them quarterly, remove anything not justified, and keep evidence. You do not need complex role engineering or advanced orchestration to satisfy Level 1; you do need to show a consistent process that identifies and removes unauthorized accounts and endpoints.

Who Runs It and How Often

Designate an “Access Review Owner” (often the IT manager or system admin) and a business approver (HR lead for workforce users; operations or finance lead for vendor accounts). Run the review quarterly on a fixed schedule, tied to HR exit/offboarding and asset inventory updates. Use a simple ticket per quarter (e.g., “2025-Q1 Access Review”) that links all exports, review notes, remediation actions, and sign-offs.

Build Your Authoritative Data Sources

For users, use your identity provider as the system of record: Microsoft Entra ID/Azure AD, Google Workspace, Okta, or JumpCloud. For devices, use your MDM/endpoint inventory: Microsoft Intune, Jamf, Kandji, or an asset database like Snipe-IT; for AD-only shops, combine AD computer objects with an EDR/AV console or DHCP leases. Export point-in-time lists with status fields. Examples: on-prem AD users with “Get-ADUser -Filter * -Properties Enabled,LastLogonDate | Export-CSV”; Entra ID users with “Get-MgUser -All -Property accountEnabled,createdDateTime | Export-CSV”; Google Workspace via GAM “gam print users query ‘isSuspended=false’”. For devices, Intune “Get-IntuneManagedDevice | Export-CSV”, AD computers “Get-ADComputer -Filter * -Properties Enabled,LastLogonDate | Export-CSV”, or Jamf “jamf recon -show”/API export. Keep exports in a read-only evidence folder.

Quarterly Access Review Playbook

Scope the review to in-scope systems for Level 1 (anything handling Federal Contract Information). Step 1: pull user and device exports for the same day. Step 2: reconcile users against the HR roster—flag ex-employees, interns who ended, contractors past end-date, and shared/generic accounts without an owner. Step 3: validate service accounts—each must have a documented purpose and owner; disable any without both. Step 4: reconcile devices—flag any device not in MDM/EDR or without a named custodian and business purpose; personal BYOD devices should not appear unless explicitly authorized. Step 5: compile a remediation list—disable users, rotate or remove unused service accounts, decommission or quarantine rogue devices, and close stale VPN accounts. Step 6: execute changes under change tickets or an approved change window and capture before/after screenshots or CLI output. Step 7: record sign-off—IT confirms remediation complete; business owner acknowledges that remaining users/devices are authorized.

What Good Evidence Looks Like

Keep dated CSV exports of users and devices, a review checklist with comments on each variance, screenshots of disabled accounts in the console, remediation tickets with timestamps, and a one-page summary signed by IT and the business owner. Store evidence for at least 1–3 years, consistent with your contract and records policy. Name files consistently, e.g., “2025-Q2_Users_Entra.csv”, “2025-Q2_Devices_Intune.csv”, “2025-Q2_Access-Review_Summary.pdf”.

Small Business Example: 45-Person Machine Shop

A 45-employee shop using Microsoft 365, Entra ID, Intune, and a VPN runs the process quarterly. The IT manager exports Entra users and Intune devices, compares users to the HR list, and finds two contractors whose SOWs ended last month and one “scanner” service account with no owner. He disables the two accounts, creates an owner record for the scanner account, and rotates its password. On devices, he finds a non-Intune Windows laptop still connecting to VPN; it belongs to a former employee and is removed from VPN, then AD computer object is disabled. Evidence includes CSVs, a screenshot of the disabled accounts, the VPN removal ticket, and a signed summary. Total time: about three hours.

Compliance Tips and Best Practices

Define “authorized” clearly: a user is authorized if they have an active HR record or valid contract and a mapped business role; a device is authorized if it is company-owned, enrolled in MDM/EDR, assigned to a user or function, and patched/secured per policy. Ban shared accounts unless documented and approved with named owners and compensating controls. Require end-dates for contractors and vendors. Automate obvious wins: tie HR offboarding to auto-disable in your IdP, auto-quarantine devices not seen by MDM in 30 days, and alert on VPN accounts without corresponding users. Track simple metrics: number of variances found, time to remediate, orphaned accounts eliminated; show downward trend over time in your quarterly summary.

The Risk of Skipping This Requirement

Not performing quarterly access reviews leaves orphaned accounts and unknown devices active—prime targets for credential stuffing, ransomware propagation, and data exfiltration. Breaches often start from an ex-employee’s still-enabled VPN or a contractor laptop with weak controls. From a compliance angle, failure to verify authorized users and devices undermines AC.L1-B.1.I, risks findings in a CMMC Level 1 assessment, and can jeopardize eligibility for federal contracts tied to FAR 52.204-21 expectations.

Summary

AC.L1-B.1.I at CMMC Level 1 is achievable with discipline, not complexity: maintain authoritative lists, review them quarterly, remediate variances quickly, and keep clean evidence. Use the identity provider and MDM you already have, involve HR and a business approver, and standardize the process with exports, a checklist, and sign-offs. The result is a compact, repeatable control that reduces real risk while satisfying the assessor’s need for verifiable proof.