Part of a Collection
This article is part of the collection: The 14 CMMC Domains: A Comprehensive Guide
CMMC Domains
CMMC Deep Dive: Identification and Authentication (IA)
A guide to the Identification and Authentication (IA) domain, covering how to verify user identities.
Published: June 25th, 2024By: CMMC Dashboard TeamLast updated: August 7th, 2025
Identification and Authentication
IA
MFA
Passwords
This article is part of our series on The 14 CMMC Domains.
The Identification and Authentication (IA) domain focuses on proving that a user, process, or device is who or what it claims to be. This is the "lock and key" of your digital systems.
Why It Matters
Without strong authentication, an attacker with stolen credentials can gain unfettered access. IA ensures that only legitimate entities can access your systems, forming the basis for accountability.
Key Practices
- IA.L1-3.5.1: Identify all system users, processes, and devices.
- IA.L1-3.5.2: Authenticate the identities of users, processes, and devices.
- IA.L2-3.5.3: Use multifactor authentication (MFA) for remote and privileged access.
- IA.L2-3.5.7: Enforce minimum password complexity and character changes.
What Assessors Look For
- A documented password policy.
- System configurations enforcing MFA, password complexity, and history.
- Proof that unique identifiers are used for all users.
- Processes for disabling inactive identifiers.