CMMC IA.L2-3.5.1: User Identification
User identification is a foundational security control that ensures every access to your information systems is traceable to a specific user, process, or device. Under CMMC Level 2, you must establish mechanisms to uniquely identify all users and processes acting within your environment. This control prevents unauthorized access and enables audit trails essential for compliance and incident response.
What this means
IA.L2-3.5.1 requires you to implement identification mechanisms that uniquely distinguish each user, process, or device accessing your information systems. This means assigning unique identifiers (usernames, employee IDs, device identifiers) and maintaining records of who or what is attempting to access resources. The control applies to human users, automated processes acting on behalf of users, and networked devices. Without proper identification, you cannot enforce access controls, maintain audit logs, or detect unauthorized activity.
How to comply
- 1.Assign unique user identifiers to all personnel with system access, including contractors and remote workers
- 2.Document and track service accounts and automated processes that act on behalf of users
- 3.Register all networked devices with unique identifiers and maintain an inventory
- 4.Configure systems to require identification credentials before granting access
- 5.Log and monitor all identification events to create an audit trail
- 6.Review and update identification records quarterly to remove terminated users and inactive accounts
Evidence auditors look for
- User access policy documenting unique identifier assignment requirements
- Active Directory or identity management system showing unique usernames and accounts
- Device inventory list with serial numbers, MAC addresses, or other unique identifiers
- Audit logs showing user login attempts with timestamps and source information
- Service account documentation linking automated processes to business functions
- User access removal procedures and evidence of terminated account deprovisioning
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automates user identification tracking by integrating with your existing directory services, capturing all access events, and maintaining audit-ready logs that satisfy CMMC examiners without manual spreadsheet management.
See how GRCWatch handles this control automatically
Start free trial