Step-by-Step Checklist to Identify Information System Users, Processes Acting on Behalf of Users, and Devices for FAR 52.204-21 / CMMC 2.0 Level 1 - Control - IA.L1-B.1.V

This post gives a practical, auditable checklist that small businesses can follow to identify all information system users, processes acting on behalf of users (service/service accounts, scheduled tasks, daemons, containers), and devices, in order to satisfy FAR 52.204-21 and CMMC 2.0 Level 1 control IA.L1-B.1.V and to provide clear evidence during assessments.

Understanding the requirement and objectives

FAR 52.204-21 and CMMC 2.0 Level 1 require organizations to know who (and what) is interacting with information systems that process, store, or transmit federal contract information. The Compliance Framework objective is simple: maintain an accurate, up-to-date inventory and mapping of human users, automated processes acting on behalf of users, and endpoint/IoT devices. This supports access control, least privilege, incident response, and evidence collection for audits.

Step-by-step checklist (high level)

Use the following checklist in order — treat it as a repeatable procedure. Implement automated collection where possible, then validate manually. Record outputs (exports, screenshots, dates, owners) to serve as compliance artifacts.

1. Draft scope and owner. Define the systems in scope (cloud accounts, on-prem servers, workstations, mobile devices, printers, network gear). Assign a primary owner responsible for executing the checklist and maintaining artifacts.
2. Collect user directory exports. Export user lists from identity sources: on-prem Active Directory (DC), Azure AD, Google Workspace, Okta. Commands/examples:
   • Active Directory: Get-ADUser -Filter * -Properties Enabled,LastLogonDate | Export-Csv AD-users.csv
   • Azure AD: Get-AzureADUser -All $true | Export-Csv AzureAD-users.csv
   • Local Linux users: getent passwd or cut -d: -f1 /etc/passwd
   Mark accounts as employee, contractor, service, shared, or disabled.
3. Identify processes acting on behalf of users (service/service accounts, scheduled jobs, containers). For each host type, gather processes and map owners:
   • Windows servers: Get-CimInstance Win32_Service | Select Name,StartName and Get-Process -IncludeUserName.
   • Linux hosts: ps aux --forest, systemctl list-units --type=service, and docker ps --format ' ' --no-trunc for containers.
   • Cloud functions/automation: list AWS Lambda, GCP Cloud Functions, Azure Functions, and identify execution roles and service principals.
   Create a spreadsheet column that links each service/process to a user or service account and the purpose (backup, monitoring, CI/CD).
4. Inventory devices and network endpoints. Build a device inventory with MAC, IP, hostname, OS, owner, and management state (managed/unmanaged). Sources:
   • DHCP server logs and reservations, router/switch ARP and MAC tables (e.g., show mac address-table on Cisco).
   • NMAP discovery: nmap -sn 192.168.1.0/24 for small networks.
   • Endpoint management: Intune, Jamf, or third-party EDR/MDM exports.
   Tag devices that are contractor-owned, IoT, printers, or CUI-accessing endpoints.
5. Correlate authentication and access logs. Gather authentication logs to confirm mappings—who is logging in, from which device, and what processes are invoked. Examples:
   • Windows Event Logs: export Security log event IDs 4624/4634.
   • Linux: /var/log/auth.log or journalctl; search for sudo, sshd, cron entries.
   • Cloud IAM logs: AWS CloudTrail, Azure AD sign-in logs, GCP Audit Logs.
   Use these logs to validate that a listed service account is actually used by the claimed process.
6. Record exceptions and shared accounts. Document any generic/shared accounts, business justification, and compensating controls (MFA, limited scope, monitored sessions). Create a remediation plan to eliminate shared accounts where possible.
7. Assign ownership and retention. For every user, process, and device record the owner, review cadence (e.g., quarterly), and artifact retention period. Keep exports, a screenshot of the directory, and change logs for audit trails.
8. Automate and schedule continuous discovery. Implement scripts, scheduled reports from IAM and EDR tools, or CMDB automation to refresh inventories weekly or monthly and alert on new/unknown accounts or devices.

Practical implementation details for the Compliance Framework

For Compliance Framework alignment, produce an evidence pack containing: the scope document, exported user lists, service/process mappings (spreadsheet), device inventory export, representative logs showing authentication/activity, and the owner/schedule register. Use a consistent CSV schema (ID, type, owner, purpose, creation date, last used) so assessors can quickly verify completeness. Small businesses can use a single spreadsheet with tabs if no CMDB is available; just ensure version control and signed timestamps (e.g., stored in SharePoint or a Git repo with access control).

Real-world small business scenarios

Example 1: A 25-person engineering firm using Azure AD, Microsoft 365, and 5 on-prem Linux servers. Steps: export AzureAD user list, use Get-AzureADUser, run ps aux on each server to identify services running as svc_backup or jenkins, and map laptops from Intune export to user accounts. Example 2: A small manufacturer with networked PLCs and a single on-site Windows domain controller: collect DHCP leases to spot unmanaged PLC IPs, inventory Windows services and scheduled tasks for SCADA-related accounts, and tag PLCs and HMIs separately as industrial devices subject to additional network segmentation.

Compliance tips and best practices

Best practices: enforce unique accounts (no shared logins), use service accounts only where required and document their scope, implement MFA for interactive accounts, and set short-lived credentials for automation where supported (AWS STS, Azure Managed Identities). Maintain least privilege—review group memberships quarterly. Use an EDR or SIEM to detect processes spawning unexpected child processes or executing from unusual directories (an indicator an account or process is being abused).

Technical examples to include in your evidence: AD/AzureAD exports, CSV of ps/Get-Process outputs with timestamps, DHCP lease snapshots, switch MAC tables, and a short Python or PowerShell script that enumerates service accounts and writes results to a dated CSV. For instance, a simple PowerShell snippet for Windows services: Get-CimInstance Win32_Service | Select-Object Name,DisplayName,StartMode,StartName | Export-Csv services-$(Get-Date -Format yyyyMMdd).csv.

Risks of not implementing the requirement

Failure to identify users, processes, and devices exposes the organization to unauthorized access, undetected service account misuse, lateral movement during incidents, and potential exfiltration of federal contract information. Practically, this can lead to failed compliance assessments, loss of contract eligibility, reputational damage, and remediation costs. Lack of inventory also slows incident response and increases time-to-containment.

Summary: follow the checklist, automate discovery where possible, document everything with dated artifact exports, and perform routine reviews. With these steps you’ll create verifiable evidence that your small business identifies and maps users, processes acting on behalf of users, and devices—meeting the intent of FAR 52.204-21 and CMMC 2.0 Level 1 IA.L1-B.1.V while reducing security risk.