Separation of Duties

Separation of duties is the security principle that no single individual should have enough access or authority to commit fraud or cause significant harm alone. Critical tasks are divided among multiple people so that no one person controls an entire process — creating checks and balances that prevent abuse and catch errors.

In cybersecurity, separation of duties means that the person who writes code shouldn't be the same person who deploys it to production, the person who requests access shouldn't be the same person who approves it, and the person who manages security logs shouldn't be the same person whose activities are being logged.

Why It Matters

Separation of duties is a CMMC access control requirement. While challenging for small organizations with limited staff, demonstrating some level of duty separation — particularly for critical security and administrative functions — is important for assessment.

Related Resources

CMMC: AC.L2-3.1.4
NIST 800-171: 3.1.4
NIST 800-53: AC-5