NIST 800-171 • LEVEL 2 • IDENTIFICATION AND AUTHENTICATION
3.5.1 — User Identification and Authentication
Uniquely identify and authenticate system users, and associate that unique identification with processes acting on behalf of those users. Re-authenticate users when {{ insert: param, A.03.05.01.ODP.01 }} .
CMMC Practice Mapping
Assessment Objectives
- system users are uniquely identified.
- system users are authenticated.
- processes acting on behalf of users are associated with uniquely identified and authenticated system users.
- users are reauthenticated when {{ insert: param, A.03.05.01.ODP.01 }} .
Practitioner Notes
Every person who uses your systems needs their own unique account — no shared logins, no generic "admin" accounts that three people use. When someone does something on the system, you need to be able to trace it back to exactly who did it.
This is foundational. Without unique identification, your audit logs are meaningless.
Example 1: In Active Directory, ensure every employee has a uniquely named account (e.g., jsmith or jane.smith). Disable or rename default accounts: go to Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options and set "Accounts: Rename administrator account" and "Accounts: Rename guest account" to non-obvious names.
Example 2: In M365 Admin Center, navigate to Users > Active Users and verify each user has a unique UPN (User Principal Name). Disable shared mailbox sign-in by selecting the shared mailbox, clicking Mail > Block sign-in. If service accounts are needed, create dedicated accounts with descriptive names like svc-backup@contoso.com rather than reusing a person's credentials.