IA.L2-3.5.1 — Identify system users, processes acting on behalf of users, and devices.

What this control requires

Identify system users, processes acting on behalf of users, and devices.

Source: CMMC L2 v2.13 IA.L2-3.5.1 / NIST SP 800-171 R2 3.5.1 (official control text).

Why this matters

Every person, automated process, and device accessing organizational systems must have a unique, traceable identifier. This control establishes the foundation for accountability, audit trails, and incident investigation. Without unique identifiers, you cannot distinguish between legitimate user activity and potential insider threats, track who accessed sensitive data, or demonstrate compliance during audits. Strong identification enables the organization to answer 'who did what, when' — essential for forensic analysis, meeting contractual obligations, and satisfying regulatory requirements that demand individual accountability rather than shared credentials.

What evidence assessors expect

Assessors typically look for: CSV export, screenshot, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls