Contact us at (571) 408-8810 • Authorized C3PAO • CMMC L2 Certified • GTIA Trustmark Assured Status

CMMC Compliance Services

Confidently navigate the CMMC process

Assessments for Contractors

Mock assessments, pre-assessments, readiness assessments or CMMC Level 2 Assessments.

Assessments for MSPs

Get yourself, and your clients, CMMC ready.

CMMC Compliant Managed IT

Stay secure, compliant, and operational with DIB focused managed IT services.

Not a DoD Contractor?

We also serve small and medium business in the Northern Virginia area. Reach out today to see if our tailored IT solutions can help your business stay secure and up and running.

Our Company

Learn about our mission and company history.

Our Process

A simple, transparent, and proven path to CMMC readiness.

Z

Why Choose Resilient IT?

We're mission oriented, focused on building resilient technology, compliance, and cybersecurity solutions.

~

Our Security

Careers

IA.L2-3.5.1 – Identifying Users Before Granting Access: The First Gate

Written by Kevin Mann

CMMC

800-171, cmmc, cmmc controls, Cybersecurity

August 12, 2025

The most fundamental question in cybersecurity is: “Who are you?” Before any system can enforce policy, log activity, or prevent unauthorized access, it must first identify the user.

That’s what IA.L2-3.5.1 requires: reliable identification of users, processes, and devices before access is granted.

As both a Certified CMMC Assessor and Certified CMMC MSP, we see this control as the first test of access discipline in an environment. If you can’t prove you identify users and devices before access—every downstream control is weakened.

🔐 CONTROL:

IA.L2-3.5.1 – Identify system users, processes acting on behalf of users, and devices.

✅ Assessment Objectives (from the CMMC Assessment Guide):

  1. System users are identified.
  2. Processes acting on behalf of users are identified.
  3. Devices are identified.

🛠️ MSP Perspective: How to Implement It

  1. Identify all users
  • Every user must authenticate with a unique ID (no shared logins).
  • Directory-based identity (Active Directory, Azure AD, Okta) preferred.
  • Service accounts should be named with purpose and owner.
  1. Identify processes acting on behalf of users
  • Examples include API tokens, scheduled tasks, service accounts, etc.
  • Document each process: what it does, under whose authority, and on which system.
  1. Identify devices before access
  • Use device registration in Azure AD or endpoint management (e.g., Intune, Jamf, MDM).
  • Enforce conditional access policies to prevent unknown device access.
  • Maintain an asset inventory with device names, serials, and owner mappings.

🛠️ Tip: Require all devices accessing your network or cloud to be enrolled and checked for compliance.

⚠️ Common Pitfalls

  • Using generic logins (e.g., “admin” or “intern”).
  • Allowing BYOD or VPN access without device registration.
  • Overlooking identification of automated processes and scripts.

🧩 Final Guidance

Identification is the first link in the chain of accountability. If you can’t identify who or what is accessing your environment, you can’t apply policy, track behavior, or contain incidents. That’s why IA.L2-3.5.1 isn’t optional—it’s foundational.

 

You May Also Like…