← Custodia
Practice 5 of 15·FAR 52.204-21(b)(1)(v)·IAIdentification & Authentication

IA.L1-b.1.v

Identify users (and devices and processes)

Every user, device, and automated process that touches FCI has to be uniquely identifiable. No "guest" accounts, no anonymous service accounts, no unknown devices on the network. If something connects, you can name it.

Official text

Identify information system users, processes acting on behalf of users, or devices.

FAR 52.204-21(b)(1)(v), CMMC Level 1 v2.13 Assessment Guide

What evidence satisfies this

Any one of these, by itself, won't satisfy the practice — but showing a few of them together is what an assessor or a prime contractor expects to see:

  • A user roster from M365 / Workspace showing every person has a unique account (no "guest1", "shared2").
  • A device inventory: every laptop, desktop, phone, and trailer PC that touches FCI, tied to a user.
  • Service accounts (e.g. for backups, for the ERP) named clearly with a purpose and an owner.
  • Guest / external user list reviewed monthly — anyone unknown is removed.
  • Asset tag stickers on shop / trailer PCs tying them back to a register.

Common ways small shops fail this

  • Personal phones connecting to the company Wi-Fi with no inventory.
  • Old test accounts ("test1", "demo") still active in the tenant.
  • An IT MSP's "service" account with no owner attached and no MFA.
  • Devices added to the network as random hostnames ("DESKTOP-9F8H4D") with no asset tag.
  • A printer / copier on the network nobody can identify.

How to fix it in a weekend

  1. 1Pull the user list from M365 / Workspace. Anyone you can't immediately name, disable.
  2. 2Build a one-page device inventory: laptop / desktop / phone / printer, owner, last seen.
  3. 3Name every service account with a purpose (e.g. "svc-backup-veeam") and document the owner.
  4. 4Set up a quarterly "who's still here?" review on calendar.
  5. 5Add a device-naming convention (e.g. CUSTODIA-LAPTOP-01) and re-name anything generic.

FAQ

Do I need to inventory every personal phone in the shop?+

Only if those phones can access FCI — through email, the M365 mobile app, or a file-sync tool. If the phone only browses the public web on Wi-Fi, it's out of scope. If it can read project email, it's in scope.

Related references

Clause

FAR 52.204-21Basic Safeguarding of Covered Contractor Information Systems

Glossary

FAR 52.204-21

Doing all 15 yourself? Use the checklist.

Custodia's free CMMC Level 1 checklist walks the same 15 requirements with a self-assessment workflow, generates your SSP and affirmation memo, and posts your SPRS score for you.

Open the checklist →
Stop reading. Start filing.

Find your SPRS score in 4 minutes. Then file it in 7 days.

Take the free SPRS quiz to see exactly where you stand on the 15 FAR 52.204-21 safeguarding requirements — no signup, no card. If you like what you see, the 7-day Custodia trial picks up where the quiz leaves off and walks you to a signed, bid-ready package.

Take the free SPRS quizStart 7-day free trial

7-day free trial · No credit card required · $249/mo Self Service ($2,496/yr on annual — two months free)