AC.L2-3.1.4 Separation of Duties - DIB SCC CyberAssist

CMMC Practice AC.L2-3.1.4 – Separation of Duties: Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

Links to Publicly Available Resources

Brookhaven National Laboratory – Example Separation of Duties Policy
This is an example of a separation of duties policy posted by Brookhaven National Laboratory.
CMMC Level 2 Assessment Guide
This document provides assessment guidance for conducting Cybersecurity Maturity Model Certification (CMMC) assessments for Level 2.
CSO – Separation of duties and IT security
This article provides an overview of what SoD is and why it is critical for security.
ISACA – Implementing Segregation of Duties: A Practical Experience Based on Best Practices
This article from ISACA provides an overview of the implementation of SoD based on practical experiences.
NIST SP 800-53: AC-5 Separation of Duties
This publication from NIST provides an overview of the AC-5 Separation of Duties Control.
TOTEM – Why is separation of duties required by NIST 800-171 and CMMC?
This post provides information as well as a downloadable worksheet that organizations can use to plan and demonstrate separation of duties.
YouTube – NIST 800-171 Control 3.1.4 Separate the duties of individuals
In this edition of the On Compliance Solutions Compliance Tip of the Week, we discuss how the separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion.

Discussion [NIST SP 800-171 R2]
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties.

Further Discussion
No one person should be in charge of an entire critical task from beginning to end. Documenting and dividing elements of important duties and tasks between employees reduces intentional or unintentional execution of malicious activities.