CMMC Practice AC.L2-3.1.4

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

Bold Coast Security Guidance

Separation of duties is challenging in a large organization where things move quickly, and even more challenging in a small organizations with few people, or only one person, doing the work. In order to comply in a smaller organization, utilize upper management to approve security work, such as making firewall rule changes, adding domain administrators, and approving website changes. You can also utilize a 3rd party service to review audit logs and send alerts to IT personnel and a non-IT manager. In a larger organization, require two different users to authorize changes and implement changes. Document all of these request/approve/ implement change requests using a standard form or existing help desk tracking system. In order to measure the success of your separation of duties, you should review change logs and verify approval on a regular basis.

Discussion From Source

DRAFT NIST SP 800-171 R2 Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties.

References