CMMC Identification & Authentication: Password Requirements in Plain English

CMMCheck

CMMCheck

5 min read
CMMC Identification & Authentication: Password Requirements in Plain English

Before your systems can control what someone does, they need to know who that someone is. That's what the Identification and Authentication domain is all about—knowing who is using your systems and verifying they are who they claim to be.

For CMMC Level 1, this domain has just two requirements. They're straightforward concepts wrapped in government jargon.

Speaking of jargon: you'll see the word "authenticator" in the official CMMC documents. Don't let it intimidate you. In most cases, an authenticator is just a password. It can also be a PIN, a badge, or a fingerprint—anything that proves you are who you say you are. But for most small businesses, we're mainly talking about passwords.

This guide explains both requirements in plain English, shows you what compliance looks like, and covers the password practices that will keep your business secure and compliant.

IA.L1-3.5.1: Identify Users

Plain English: Know who's logging into your systems.

Before you can verify someone's identity, you need a way to identify them in the first place. This requirement says every person accessing your systems must have a unique identifier—something that distinguishes them from everyone else.

For most businesses, this means usernames. When someone logs in, they enter a username that identifies who they are, then a password that proves it. The username is the identification part.

What This Looks Like in Practice

Every person has a unique username. John Smith logs in as jsmith or john.smith@yourcompany.com. Not "User1." Not "ShopFloor." Not a shared account. His own unique identifier that belongs only to him.

Usernames are tied to real people. You should be able to look at any username on your system and know exactly which human being it belongs to. If you see "jsmith" in a log file, you know that's John Smith in accounting. This traceability matters when you need to investigate problems or verify who did what.

No anonymous access to systems with FCI. If a system touches Federal Contract Information, every person using it must be identified. No guest accounts. No anonymous logins. No "just use this password to get in." Everyone is identified.

You have records of who has which accounts. Somewhere—a spreadsheet, your IT system, a document—you have a list connecting usernames to real people. When someone asks "who is jsmith?" you can answer immediately.

Evidence You'll Need

To demonstrate compliance with this requirement:

  • A list of all user accounts with the corresponding employee names
  • Onboarding records showing when accounts were created
  • Documentation of your account naming convention
  • Records showing account assignments are reviewed periodically

IA.L1-3.5.2: Authenticate Users

Plain English: Verify that people are who they claim to be.

Identification is claiming to be someone. Authentication is proving it. When John types "jsmith" as his username, he's identifying himself. When he types his password, he's authenticating—proving he really is John and not someone pretending to be John.

The official requirement uses phrases like "authenticators" and "sufficient strength." Translated: use passwords (or other verification methods) that aren't easily guessed or cracked.

What This Looks Like in Practice

You have a password policy. Employees know what's expected for passwords—how long they need to be, what complexity is required, when they need to be changed. This doesn't need to be a 20-page document. A one-page policy covering the basics is enough.

No default passwords remain unchanged. Every piece of equipment comes with default passwords. Routers, printers, software applications—they all have factory-set credentials that are publicly known. These must be changed before the equipment goes into use. "Admin/admin" and "password123" are not acceptable.

Passwords are changed when compromised. If there's any reason to believe a password has been stolen or exposed—a phishing incident, a data breach at a service you use, an employee admitting they shared their password—it gets changed immediately.

Consider multi-factor authentication. While not strictly required for Level 1, MFA adds significant security. We'll cover this more in the next section.

Password Tips for Small Businesses

The official requirement says passwords need "sufficient strength" without defining exactly what that means. Here's what works:

Use 12+ characters minimum. Length matters more than complexity. A 16-character password is dramatically harder to crack than an 8-character password, even if the shorter one has special characters.

Use passphrases instead of passwords. "MyDogLoves2Chase!" is easier to remember and harder to crack than "P@ssw0rd1". String together words that mean something to you but aren't easily guessed. Add a number and special character if your systems require them.

Consider a password manager. Tools like Bitwarden, 1Password, or even the built-in managers in Chrome and Edge let employees have strong, unique passwords for everything without needing to remember them all. For a small business, this is one of the highest-value security investments you can make.

Don't require frequent changes. The old advice to change passwords every 90 days has been abandoned by security experts. Frequent mandatory changes lead to weaker passwords (Password1, Password2, Password3...). Change passwords when there's a reason to—compromise, employee departure, or annual review—not on an arbitrary schedule.

Evidence You'll Need

To show you meet this requirement:

  • A documented password policy
  • Screenshots of system settings showing password requirements are enforced
  • Evidence that default passwords have been changed (configuration records)
  • Records of password changes following incidents

What About Multi-Factor Authentication?

Multi-factor authentication—requiring something beyond just a password to log in—is not strictly required for CMMC Level 1. But it's worth implementing anyway.

Here's why: MFA stops most account compromises cold. Even if someone steals a password through phishing or a data breach, they can't get in without the second factor. It's one of the most effective security measures available.

If you're planning to pursue Level 2 eventually, MFA is required there. Getting it in place now means you're already ahead.

The good news is MFA has become easy to implement. Microsoft 365 includes it at no extra cost. Google Workspace has it built in. Most business applications support authenticator apps like Microsoft Authenticator or Google Authenticator, which are free.

For a small business, start with MFA on your most critical systems—email, VPN, and any cloud services containing FCI. You can expand from there. The setup takes minutes per user, and after a brief adjustment period, it becomes second nature.

Common Gaps

These are the identification and authentication problems we see most often in small businesses:

Passwords on sticky notes. We get it—people have too many passwords to remember. But a sticky note on the monitor defeats the entire purpose. This is where a password manager helps. The passwords can be strong and unique, and employees only need to remember one master password.

Default passwords never changed. That router your IT person installed three years ago? The network printer in the corner? The security camera system? Check whether they still have default credentials. Attackers know these defaults and actively scan for devices that haven't been changed.

Same password for everything. When employees use the same password across multiple systems—or worse, across work and personal accounts—a breach anywhere becomes a breach everywhere. Password managers solve this by making unique passwords practical.

No password policy documented. Your employees might be using strong passwords, but if you haven't written down your expectations, you can't prove you have a policy. And new employees won't know what's expected. Document it, even if it's just a single page.

Assess Your Compliance with CMMCheck

Identification and Authentication might seem simple—it's just two requirements—but each has specific assessment objectives you need to meet. Are you identifying all users on all systems that handle FCI? Are your password policies actually enforced, not just written down?

CMMCheck walks you through these requirements with straightforward yes/no questions. No need to interpret government language or guess whether you're compliant. Answer the questions honestly, and you'll know exactly where you stand—and what to fix.

Ready to check your CMMC Level 1 readiness? Try CMMCheck and assess your compliance in plain English.

This article is part of CMMCheck's Plain English CMMC Level 1 Guide, a complete resource for small businesses navigating DoD cybersecurity requirements.

Read more