IA.L2-3.5.2 — Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.

What this control requires

Authenticate (or verify) the identities of users, processes, or devices, as a prerequisite to allowing access to organizational systems.

Source: CMMC L2 v2.13 IA.L2-3.5.2 / NIST SP 800-171 R2 3.5.2 (official control text).

Why this matters

Authentication is the gatekeeper that ensures only legitimate users and authorized devices access your systems and CUI. Weak or default credentials are the #1 entry point for attackers—compromised passwords account for over 80% of breaches. This control requires verifying identity before granting access to any organizational resource, whether that's a person logging into email, a service account connecting databases, or an IoT device joining your network. Without enforced authentication at every entry point, you cannot trace actions to individuals, detect insider threats, or prevent unauthorized CUI exfiltration. Strong authenticator management—issuing unique credentials, rotating them regularly, and revoking them immediately when no longer needed—forms the foundation of your entire security posture.

What evidence assessors expect

Assessors typically look for: screenshot, configuration export, CSV export, PDF. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls