SC.L2-3.13.3 Role Separation

CMMC Practice SC.L2-3.13.3 – Role Separation: Separate user functionality from system management functionality.

Links to Publicly Available Resources


Prevent user functionality and services from accessing system management functionality on IT components, e.g., databases, network components, workstations, servers. This reduces the attack surface to those critical interfaces by limiting who can access them and how they can be accessed. This can be achieved through both logical and physical methods using computers, CPUs, operating system, network addresses or a combination of these methods. By separating the user functionality from system management functionality, the administrator or privileged functions are not available to the general user.

The intent of this practice is to ensure:

  • general users are not permitted to perform system adminstation functions; and
  • system administrators only perform system administration functions from their privileged account.

This can be accomplished using separation like VLANs or logical separation using strong access control methods.