Mapped to NIST 800-171 Requirement: 3.5.12
CMMC Assessment Objective: IA.L2-3.5.10[a]
What This Objective Means
This control ensures you know which device identifiers your systems rely on for authentication. Device identifiers are unique values used to verify or validate the identity of a device as part of the login or connection process.
Examples include:
• MAC addresses
• Hostnames
• IP addresses
• X.509 certificates
• Smart card serials or token IDs
• Hardware identifiers (e.g., TPM, serial numbers)
You need to know which identifiers are in use, why they’re used, and where.
Why It Matters
Device-based authentication is common in:
• VPN and remote access validation
• Network access control (NAC)
• Certificate-based authentication
• Zero Trust policies
• Machine-to-machine communications
If you don’t have visibility into the device identifiers used, you can’t:
• Confirm device identity
• Enforce security policies
• Detect spoofing or unauthorized access
• Prove compliance with access restrictions
How to Implement It
1. Inventory Authentication-Capable Devices
• List systems, endpoints, and devices that authenticate using more than just a username/password
2. Identify the Device Identifiers in Use
• Determine which of the following are used:
◦ Certificates (client authentication certs)
◦ Hardware token serials
◦ MAC/IP address restrictions
◦ System or BIOS serial numbers
◦ Device-based biometrics (for local access)
3. Record How and Where They’re Used
• Map identifiers to:
◦ Systems/platforms
◦ Authentication providers
◦ Access policies
4. Document in Policy or SSP
• Include the device identifier types in your System Security Plan (SSP) or Access Control Policy
Evidence the Assessor Will Look For
• Device authentication inventory or diagrams
• Documentation outlining accepted identifier types
• Screenshots or exports showing identifier mapping in VPN, MDM, or identity systems
• Policies detailing how identifiers are managed and validated
Common Gaps
• No clear documentation of device-based authentication mechanisms
• Certificates used, but not tracked or associated with devices
• MAC or IP-based filtering enabled without inventory
• Inconsistent practices across systems
How Cuick Trac Helps
Cuick Trac supports this requirement by:
• Providing centralized management of device identifiers used in authentication
• Supporting certificate-based authentication and mapping certs to individual systems
• Enforcing device validation policies at the enclave boundary
• Offering an auditable trail of device-based access and configuration
• Helping document device authentication methods in alignment with NIST and CMMC expectations
With Cuick Trac, device identity is visible, managed, and secure.
Final CTA
Authentication doesn’t stop with the user—it starts with the device.
Schedule a Cuick Trac demo to track and control how devices are identified and trusted across your environment.