CMMC Level 2
Control 3.5.1
Identify System Users and Processes
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Identify information system users, processes acting on behalf of users, or devices.
What This Means in Plain English
Every user, automated process, and device that accesses your systems must have a unique identity. You must be able to tell exactly who or what is making each request to your systems.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Microsoft Entra ID providing unique identity for all users, service principals, and managed identities
- Active Directory accounts assigned to each individual with unique usernames following naming conventions
- Service accounts registered with documented owners and purposes in ComplianceArmor
- Device certificates and Entra device identities for all managed endpoints
- Cisco Meraki device profiling identifying and categorizing all network-connected devices
Assessment Guidance
Assessors will verify that all users have unique identifiers, check that service accounts are documented with assigned owners, review device identification mechanisms, and confirm that processes acting on behalf of users are identifiable.
Common Implementation Gaps
- Shared user accounts making individual identification impossible
- Undocumented service accounts with no assigned owner
- Devices connecting to the network without identification
- Automated processes running under generic accounts
- No naming convention for accounts making identification difficult
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | IA-2, IA-3, IA-8 |
| HIPAA | 164.312(d) - Person or Entity Authentication |
| PCI DSS | Req 8.1 - Define and implement policies for proper user identification management |
Need Help Implementing 3.5.1?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment