IA.L1-3.5.2 — Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.

What this control requires

Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.

Source: CMMC L1 v2.13 IA.L1-3.5.2 / FAR 52.204-21(b)(1) / NIST SP 800-171 R2 3.5.2 (official control text).

Why this matters

Every login to a system is a potential breach if the system cannot verify who or what is trying to access it. This control requires that before any user, device, or automated process touches organizational data or systems, it must prove its identity through authentication mechanisms like passwords, certificates, or cryptographic tokens. Without this verification step, unauthorized actors could impersonate legitimate users, malicious software could masquerade as trusted processes, and compromised devices could establish backdoors into the network. This is the foundational security gate that prevents unauthorized access before it starts.

What evidence assessors expect

Assessors typically look for: screenshot, PDF, configuration export. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls