NIST 800-171 • LEVEL 2 • ACCESS CONTROL
3.1.4 — Separation of Duties
Identify the duties of individuals requiring separation. Define system access authorizations to support separation of duties.
CMMC Practice Mapping
NIST 800-53 Controls
Assessment Objectives
- duties of individuals requiring separation are identified.
- system access authorizations to support separation of duties are defined.
Practitioner Notes
Separation of duties means no single person should be able to both approve and execute a critical action. The person who writes the check shouldn't be the same person who signs it. In IT terms, the person who creates accounts shouldn't also be the one auditing them.
Example 1: In Active Directory, create separate admin tiers. Put your domain admins in one group and your help desk staff (who handle password resets and basic account modifications) in another. Use Active Directory Delegation of Control Wizard to give the help desk group only "Reset User Passwords" and "Read All User Information" — nothing else.
Example 2: In your change management policy, require that any firewall rule change must be requested by one person, reviewed by a second, and implemented by a third. Document this in a Separation of Duties matrix — a simple spreadsheet showing which roles are incompatible. Your CMMC assessor will want to see this document.