Identification and Authentication 3.5.1 (3.5.1)

Identify system users, processes acting on behalf of users, and devices.

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to uniquely identify all users, automated processes acting on behalf of users, and devices that access the system. Every person, service account, and device must have a distinct identifier that allows the organization to track who or what is accessing CUI and system resources. This is the foundation for accountability and access control—you cannot control or audit access if you don't know who or what is accessing your systems.

Control Intent

Establish accountability and enable access control by ensuring every user, process, and device accessing the system can be uniquely identified and distinguished from all others.

Who This Control Applies To

  • All systems that store, process, or transmit CUI
  • All users (employees, contractors, third parties) who access CUI systems
  • All service accounts and automated processes that access CUI systems
  • All devices (workstations, servers, mobile devices, IoT devices) that connect to CUI systems
  • Shared infrastructure components that process CUI
  • Cloud-based systems and services handling CUI

Not Applicable When

  • Systems that do not store, process, or transmit CUI
  • Publicly accessible systems with no CUI access
  • Completely isolated systems with no user access (fully automated with no human interaction)
  • Systems scheduled for decommissioning before CMMC assessment (with documented decommissioning plan)

Key Objectives

  • 1Assign unique identifiers to all individual users accessing systems containing or processing CUI.
  • 2Assign unique identifiers to all processes acting on behalf of users that access systems containing or processing CUI.
  • 3Assign unique identifiers to all devices that access systems containing or processing CUI.
  • 4Maintain the ability to distinguish between different users, processes, and devices through their assigned identifiers.

Sample Self-Assessment Questions (Partial)

Does your organization assign a unique username to each person who accesses systems containing CUI?

Are shared usernames or generic accounts (like 'admin' or 'user') used by multiple people to access CUI systems?

Implementation Approaches (High-Level)

Active Directory with Unique User Accounts

Each user is assigned a unique Active Directory account with a distinct username, and all access to CUI systems requires authentication with this account.

Cloud Identity Provider (Azure AD, Okta, Google Workspace)

Each user is assigned a unique identity in a cloud-based identity provider, and all access to CUI systems is federated through this provider.

Network Access Control (NAC) with Device Registration

All devices must be registered with unique identifiers (MAC address, certificate, or token) before being granted network access to CUI systems.

Certificate-Based Device Identification

Each device is issued a unique digital certificate that must be presented for authentication before accessing CUI systems.

Unique Service Account Naming and Inventory

All automated processes and services are assigned uniquely named service accounts that are inventoried and managed separately from user accounts.

MDM/UEM Device Enrollment and Identification

All mobile devices and endpoints are enrolled in a Mobile Device Management or Unified Endpoint Management solution that assigns and tracks unique device identifiers.

IP Address Management (IPAM) with Static Assignment

Devices are assigned static IP addresses or DHCP reservations that serve as unique identifiers, tracked in an IP address management system.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If shared accounts exist, document specific business justification, which systems are affected, and planned remediation timeline If legacy systems cannot support unique identification, document technical limitations, compensating controls (e.g., enhanced logging, restricted access), and migration or replacement plans If service accounts are not uniquely identified, prioritize creating an inventory and implementing naming standards before addressing technical controls If devices are not uniquely identified, start with high-value or high-risk devices (servers, admin workstations) and expand to all devices Acceptable interim steps: implement unique user identification first, then service accounts, then devices in phases For BYOD or contractor devices, implement registration process even if full MDM enrollment is not immediately feasible Document any identifier reuse and implement process to prevent future occurrences If using IP addresses as primary identifier, plan to implement additional identification methods (certificates, NAC) as IP alone is insufficient for high-assurance environments

Related CMMC Controls

3.5.23.5.33.5.73.5.83.5.113.1.13.1.23.3.13.3.23.4.2

Frequently Asked Questions

Does every person need a separate username, or can we use shared accounts for certain roles?

Every person must have a unique username. Shared accounts are generally not acceptable for CMMC compliance because they prevent individual accountability. If a shared account is absolutely necessary for a specific business or technical reason, you must document the justification and implement compensating controls (such as detailed logging of who accessed the shared account and when).

Do service accounts and automated processes need unique identifiers, or is this just for human users?

Yes, service accounts and automated processes must also have unique identifiers. This includes database service accounts, backup processes, scheduled tasks, API integrations, and any other non-human entity that accesses CUI systems. Each should have a descriptive, unique name that identifies its purpose.

How do we identify devices—is a MAC address or IP address sufficient?

MAC addresses, IP addresses, device certificates, or device IDs from MDM/NAC systems are all acceptable methods for device identification. However, IP addresses alone may not be sufficient in dynamic environments (DHCP without reservations). The key is that you can uniquely and consistently identify each device that accesses CUI systems. Many organizations use a combination of methods (e.g., MAC address registration plus device certificates).

What happens if we have legacy systems that don't support unique user identification?

Legacy systems that cannot support unique identification represent a gap that must be addressed. You should document the technical limitation, implement compensating controls (such as restricting access to the legacy system, enhanced logging, or physical access controls), and create a POA&M with a plan to migrate to a system that supports unique identification or decommission the legacy system.

Do contractors and temporary workers need unique identifiers separate from employees?

Yes, contractors and temporary workers must have unique identifiers. Best practice is to make their identifiers distinguishable from employee accounts (e.g., different naming convention or separate organizational unit) to facilitate access reviews and termination processes. Each contractor should have their own account—shared contractor accounts are not acceptable.

Can we reuse usernames from former employees for new hires?

Reusing usernames immediately after an employee departure is not recommended and can cause audit trail confusion. Best practice is to disable or delete the former employee's account and create a completely new account with a new username for the new hire. If you must reuse identifiers, ensure sufficient time has passed and all audit logs clearly distinguish between the two individuals' activities.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.