Back to Control Explorer



Control Acronym



Identification And Authentication

CMMC Level


800-171 Control #


CMMC Description

Identify information system users, processes acting on behalf of users, or devices.

CMMC Clarification

Authentication helps you to know who is using or viewing your system. Make sure to assign individual, unique identifiers, like user names, to all employees/users who access company systems. Confirm the identities of users, processes, or devices before allowing them access to the company’s information system-usually done through passwords. Example You lead a project with the Department of Defense (DoD) for your small company and want to make sure that all employees working on the project can log on to the company system to see important information about the project. You also want to prevent employees who are not working on the DoD project from being able to access the information. You set up the system so that when an employee logs on, the system uniquely identifies each person, then determines the appropriate level of access.

800-171 Description

Identify system users, processes acting on behalf of users, and devices.

800-171 Discussion

Common device identifiers include Media Access Control (MAC), Internet Protocol (IP) addresses, or device-unique token identifiers. Management of individual identifiers is not applicable to shared system accounts. Typically, individual identifiers are the user names associated with the system accounts assigned to those individuals. Organizations may require unique identification of individuals in group accounts or for detailed accountability of individual activity. In addition, this requirement addresses individual identifiers that are not necessarily associated with system accounts. Organizational devices requiring identification may be defined by type, by device, or by a combination of type/device.[SP 800-63-3] provides guidance on digital identities.

Other Source Discussion


CIS Control References

CIS Controls v7.1 4.2, 4.3, 16.8, 16.9

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 IA-2, IA-3, IA-5

CMMC Derived

NIST CSF Control References

NIST CSF v1.1 PR.AC-1, PR.AC-6, PR.AC-7

NIST 800-171 References

NIST SP 800-171 Rev 1 3.5.1

Applicable FAR Clause

FAR Clause 52.204-21 b.1.v

NIST CSF Control Reference

CERT RMM Reference


Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

IA.1.076.[a] system users are identified;

Assessment Sub-Criteria 2

IA.1.076.[b] processes acting on behalf of users are identified; and

Assessment Sub-Criteria 3

IA.1.076.[c] devices accessing the system are identified.

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15