IA.L1-3.5.1 — Identify system users, processes acting on behalf of users, and devices.

What this control requires

Identify system users, processes acting on behalf of users, and devices.

Source: CMMC L1 v2.13 IA.L1-3.5.1 / FAR 52.204-21(b)(1) / NIST SP 800-171 R2 3.5.1 (official control text).

Why this matters

This control establishes the foundation of cybersecurity accountability: knowing who and what is accessing your systems. Without unique identification of users, devices, and automated processes, you cannot trace actions back to their source, investigate incidents, or enforce access policies. Anonymous or shared accounts create blind spots where malicious activity—whether from insider threats, compromised credentials, or unauthorized devices—becomes invisible. Identifying every entity that touches CUI ensures you can monitor behavior, detect anomalies, and prove who did what during audits or breach investigations.

What evidence assessors expect

Assessors typically look for: CSV export, screenshot, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls