IA.L1-3.5.1: Identify users, processes, and devices

📖 What This Means

This control requires organizations to identify and maintain a clear list of all users, processes, and devices that interact with their systems. It means knowing who is accessing your network, what automated processes are running, and which devices are connected. This is essential for ensuring that only authorized entities can access sensitive information. For example, in a small defense contractor, this could involve tracking employees, contractors, and their laptops or smartphones. Another example is identifying automated backup processes that run nightly. By doing this, organizations can detect unauthorized access or anomalies, such as a device that shouldn’t be on the network or a process accessing data it shouldn’t.

🎯 Why It Matters

Failing to identify users, processes, and devices leaves your network vulnerable to unauthorized access and cyberattacks. For instance, in the 2020 SolarWinds breach, attackers exploited unidentified processes to infiltrate networks. Without proper identification, malicious actors can impersonate legitimate users or devices, leading to data breaches, financial loss, and reputational damage. From a DoD perspective, this control is critical because it ensures that only authorized entities can access Controlled Unclassified Information (CUI). It also helps in incident response by providing a clear map of what’s on the network, making it easier to detect and mitigate threats.

✅ How to Implement

1. Use AWS Identity and Access Management (IAM) or Azure Active Directory to create and manage user accounts.
2. Enable CloudTrail (AWS) or Azure Monitor to log user and process activities.
3. Use AWS Config or Azure Security Center to identify and track devices accessing cloud resources.
4. Implement tagging for cloud resources to categorize users, processes, and devices.
5. Regularly review and update access policies to ensure only authorized entities have access.

⏱️

Estimated Effort

2-3 days for initial setup (basic skill level). Ongoing maintenance requires 2-4 hours/month.

📋 Evidence Examples

User Account List

Format: Excel/CSV

Frequency: Monthly

Contents: List of all user accounts with roles and access levels

Collection: Export from Active Directory or cloud IAM

Device Inventory Report

Format: PDF

Frequency: Quarterly

Contents: List of all devices connected to the network with IP/MAC addresses

Collection: Generate from SCCM or network scanning tool

Process Logs

Format: Log files

Frequency: Weekly

Contents: Logs of all automated processes running on servers

Collection: Export from Syslog or Splunk

Access Policy Document

Format: PDF

Frequency: Annually

Contents: Document outlining who/what can access which systems

Collection: Create using cloud/on-premise policy tools

Training Records

Format: Excel

Frequency: Annually

Contents: Records of employees trained on identification policies

Collection: Maintain manually or via HR system

📝 SSP Guidance

Use this guidance when writing the System Security Plan (SSP) narrative for this control.

How to Write the SSP Narrative

For IA.L1-3.5.1 ("Identify users, processes, and devices"), your SSP narrative should specifically describe: (1) the tools and technologies you use to implement this control, (2) the configuration or process that enforces it, (3) who is responsible for maintaining it, and (4) what evidence proves it's working. Describe how users, devices, and processes are identified and authenticated, including your IAM platform, password policies, MFA implementation, certificate management, and service account controls. Be specific -- name your actual products, settings, and responsible personnel.

Example SSP Narratives

Cloud (Azure/AWS)

"IA.L1-3.5.1 is implemented using cloud-native controls. [Organization] uses [specific cloud service/feature] to identify users, processes, and devices. The configuration is managed through [Azure Policy/AWS Config/Terraform] and monitored via [SIEM tool]. Responsible party: [IT Security Manager]. Evidence: [specific artifact, e.g., 'Azure AD Conditional Access policy screenshot, CloudTrail logs']."

On-Premise

"IA.L1-3.5.1 is implemented through on-premise infrastructure controls. [Organization] uses [Active Directory/Group Policy/specific tool] to identify users, processes, and devices. Configuration is documented in [location] and audited [frequency]. Responsible party: [System Administrator]. Evidence: [specific artifact, e.g., 'Group Policy export, Windows Event logs']."

Hybrid

"IA.L1-3.5.1 is implemented across both cloud and on-premise environments. [Organization] uses [Azure AD Connect/hybrid tool] to ensure consistent enforcement. Cloud resources are managed via [cloud tool] and on-premise systems via [on-prem tool]. Both environments report to [centralized SIEM]. Responsible party: [IT Director]. Evidence: [artifacts from both environments]."

System Boundary Considerations

• Identify all authentication entry points (local login, VPN, cloud, API)
• Document the identity provider(s) and authentication flow
• Specify MFA methods and coverage
• Ensure this control covers all systems within your defined CUI boundary where identify users, processes, and devices applies
• Document any systems where this control is not applicable and explain why

Key Documentation to Reference in SSP

📄 Identification and Authentication Policy
📄 Password policy configuration
📄 MFA enrollment records
📄 Service account registry
📄 Evidence artifacts specific to IA.L1-3.5.1
📄 POA&M entry if control is not fully implemented

What the Assessor Looks For

The assessor will test authentication mechanisms, verify MFA is enforced for required access paths, check password policy configuration, and review service account documentation.

💬 Self-Assessment Questions

Use these questions to assess your compliance. Each "NO" answer provides specific remediation guidance.

Question 1: Do you maintain an up-to-date list of all user accounts?

✅ YES → Proceed to Q2

❌ NO → GAP: Export user accounts from AD or IAM and maintain a monthly updated list.

Remediation:

1 week

Question 2: Do you have a process to identify all devices on your network?

✅ YES → Proceed to Q3

❌ NO → GAP: Use SCCM or a network scanning tool to create a device inventory.

Remediation:

2 weeks

Question 3: Do you log and monitor automated processes?

✅ YES → Proceed to Q4

❌ NO → GAP: Implement logging tools like Syslog or Splunk to track processes.

Remediation:

1 week

Question 4: Do you review and update access policies annually?

✅ YES → Proceed to Q5

❌ NO → GAP: Schedule an annual review of access policies.

Remediation:

1 month

Question 5: Do you train employees on identification policies?

✅ YES → Compliant

❌ NO → GAP: Schedule training sessions and document attendance.

Remediation:

1 month

⚠️ Common Mistakes (What Auditors Flag)

1. Missing devices on the network

Why this happens: Failing to conduct regular network scans.

How to avoid: Use tools like SCCM or Nessus to scan the network quarterly.

2. Outdated user accounts

Why this happens: Not removing accounts of former employees.

How to avoid: Set up automated deprovisioning processes.

3. Incomplete process logs

Why this happens: Not configuring logging tools properly.

How to avoid: Verify logs capture all critical processes.

4. Lack of access policy documentation

Why this happens: Assuming policies are understood but not written down.

How to avoid: Document policies in a formal access control document.

5. No employee training

Why this happens: Prioritizing technical controls over human factors.

How to avoid: Include identification policies in annual training programs.

📚 Parent Policy

This practice is governed by the Identification and Authentication Policy

View IA Policy →

📚 Related Controls

IA.L1-3.5.2 IA.L1-3.5.3 AC.L1-3.1.1