AuditRubric
cmmc-ia-1 Critical priority Identification & Authentication / Identification

Identify all users, processes, and devices that access systems

Every user, process acting on behalf of a user, and device that accesses your systems must have a unique identifier. Shared accounts, generic accounts, and anonymous access make it impossible to determine who did what on a system, undermining both security and accountability. Unique identifiers are the prerequisite for authentication, access control, and audit logging to work correctly.

4h estimated effort
iam access-control identity audit-logging

Implementation steps

  1. 1

    Eliminate shared and generic accounts

    Audit all user accounts across in-scope systems and identify any shared accounts (e.g., 'admin', 'contractor', 'shared'), generic accounts, or accounts not tied to a specific individual. Migrate users off shared accounts to individual accounts. If a system requires a shared functional account, document the exception and implement compensating controls such as session recording.

    active-directory okta
  2. 2

    Assign unique identifiers to all users

    Ensure every person with access to FCI systems has a unique username tied to their identity. Follow a consistent naming convention. Disable accounts that cannot be traced to a specific individual or business purpose.

    active-directory okta azure-ad
  3. 3

    Identify and document service and process accounts

    Inventory all service accounts, application accounts, and automated process accounts. Each should have a documented owner, purpose, and the systems it is authorized to access. Service accounts should be named to indicate their purpose and should not be used for interactive login.

    active-directory cyberark hashicorp-vault
  4. 4

    Establish device identity for managed devices

    Devices accessing FCI systems should have unique identifiers, typically managed through MDM enrollment, certificate-based authentication, or device compliance policies. This allows you to distinguish between authorized managed devices and unmanaged or personal devices attempting to connect.

    intune jamf crowdstrike

Evidence required

User account inventory

List of all user accounts on in-scope systems, each tied to a specific individual.

  • - Active Directory user export
  • - Identity provider user list

No shared accounts verification

Evidence that shared or generic accounts have been eliminated or have documented exceptions.

  • - Account audit report showing no shared accounts
  • - Exception documentation with compensating controls

Service account inventory

List of all service accounts with documented owner and purpose.

  • - Service account register
  • - Privileged account inventory

Related controls

cmmc-ia-2

Authenticate users, processes, and devices before granting access

Authentication

cmmc-ac-1

Limit system access to authorized users, processes, and devices

Authorized Access

cmmc-ac-2

Limit system access to permitted transactions and functions

Authorized Access

cmmc-ac-3

Verify and control connections to external information systems

External Connections