NIST SP 800-171 Rev 2 requirement 3.5.1 mandates that organizations identify information system users, processes acting on behalf of users, and devices before granting access to systems that process, store, or transmit CUI. Each entity must possess a unique identifier — typically a user account name, service account, or device ID — that distinguishes it from all other entities in the system. This identification is not synonymous with authentication; it is the prior step of asserting an identity claim that authentication then verifies. Organizations must maintain an authoritative inventory of all identifiers in use, including human users, automated processes and service accounts, and endpoints or networked devices. The requirement applies across all information systems in scope for CMMC, including on-premises infrastructure, cloud environments, and remote access systems.
Where it stops · what it isn't
- —This practice does NOT cover the verification or authentication of identities — that is addressed by IA-L2-3.5.2 (Authenticate Identities of Users, Processes, and Devices)
- —This practice does NOT govern the rules for granting or revoking access privileges — those are addressed by AC-L2-3.1.1 and related Access Control practices
- —This practice does NOT require multi-factor authentication; MFA is a separate control addressed in IA-L2-3.5.3
- —This practice does NOT address password complexity or management policies, which are governed by IA-L2-3.5.7 and IA-L2-3.5.8
- —This practice does NOT cover the identification of external users or partners accessing systems via federated identity unless those systems are in scope for CUI processing
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.
PART OFdomain/identification-and-authentication