AC.L2-3.1.4 Separation of Duties

CMMC Practice AC.L2-3.1.4 – Separation of Duties: Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

Links to Publicly Available Resources

Discussion [NIST SP 800-171 R2]
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties.

Further Discussion
No one person should be in charge of an entire critical task from beginning to end. Documenting and dividing elements of important duties and tasks between employees reduces intentional or unintentional execution of malicious activities.