3.5.1 — Prove Who You Are

The One-Liner

If anything in your environment can act without a unique identity, you can’t trace it, you can’t control it, and you fail this requirement.

What It Says

Identify system users, processes acting on behalf of users, and devices.

What It Actually Means

This is the identity foundation that everything else builds on. Three things need unique identifiers:

1. Every person — unique username per individual. Not team accounts, not shared logins, not generic “admin” accounts.
2. Every automated process — service accounts, scheduled tasks, API connections. Each one has a unique identifier tied to a documented owner.
3. Every device — workstations, servers, phones, printers. Each one tracked with a unique ID through MDM or asset management.

The assessor will test this by pointing at a random log entry and asking “who or what did this?” If the answer is “we’re not sure because three people use that account,” you fail.

This requirement is the identity layer that access control (3.1.1) depends on. Without unique identification, you can’t enforce access rules, trace actions, or hold anyone accountable.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are system users uniquely identified?	Every person has their own username — no shared accounts
2	Are processes acting on behalf of users identified?	Service accounts documented with unique IDs and owners
3	Are devices authorized to connect identified?	Device inventory with unique identifiers from MDM or asset management

---

What to Have Ready on Assessment Day

Documents they’ll review: Identification and authentication policy; procedures addressing user identification; system security plan; system design documentation; system configuration settings; list of system accounts; list of identifiers generated from organizational information system components

People they’ll talk to: Personnel with system operations responsibilities; personnel with account management responsibilities; personnel with information security responsibilities; system or network administrators; system developers

Live demos they’ll ask for: Mechanisms supporting or implementing identification of system users, processes, and devices

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Can you uniquely identify every user on your CUI systems right now?”
• “Show me a service account — who owns it and what does it do?”
• “How do you identify devices connecting to your network? Show me the inventory.”
• “Are there any shared or generic accounts in your environment? Show me.”
• “How do you ensure new devices get unique identifiers before connecting?”

Real-World Example

A 45-person defense sub uses Entra ID for all user identities — each person has a unique UPN. Service accounts follow a naming convention (svc-[app]-[function]@company.com) and each has a documented owner in the ITSM tool. Devices are enrolled through Intune with hardware-based unique IDs. When the assessor asks about a service account running the backup job, IT immediately shows the documentation: owner is the senior sysadmin, created date, purpose, last review date.

---

Where Companies Trip Up

Shared accounts. “admin@company.com” used by three people. The assessor asks who performed a specific action logged under that account, and you can’t answer. Every person gets their own account.

Orphan service accounts. That SQL service account from 2019 that nobody remembers creating. Every automated process needs a documented owner who reviews it annually.

Unidentified devices. Personal phones connecting to Wi-Fi, printers nobody inventoried. If it connects to the CUI environment, it needs a unique ID in your inventory.

Generic accounts on appliances. Network devices with factory ‘admin’ accounts. Each appliance needs unique credentials — even if only two people access it.

---

How to Talk About This

To a CEO or Board

Every person, process, and device in our environment has a unique identity. Nothing acts anonymously. When we need to know who did something, we always have a name.

To an Engineering Team

Unique accounts in Entra ID per user. Service accounts: naming convention svc-[app]-[function], documented owners in ITSM, annual review. Device IDs via Intune enrollment. No shared or generic accounts. Quarterly audit for orphaned identifiers.

---

Connected Requirements

Requirement	Why it matters here
3.1.1 — Who Gets In	Uses identities from this requirement to control access
3.3.2 — Trace Every Action	Depends on unique IDs to attribute actions to individuals
3.5.2 — Verify Before Entry	Authenticates the identities established here
3.5.6 — Disable Dormant Accounts	Disables identifiers that go unused

---

Implementation (coming soon)

Step-by-step setup for Microsoft 365 / Entra ID, AWS, Azure, and GCP — console steps, CLI commands, and evidence screenshots.

---

CMMC Practice ID: IA.L2-3.5.1 | SPRS Weight: 5 points | POA&M Eligible: No