AC.L2-3.1.4 β Separate the Duties of Individuals
Control Intent
Separate duties of individuals to reduce the risk of malevolent activity without collusion.
Control Response
The organization separates duties among individuals to reduce the risk of unauthorized, unintentional, or malicious actions affecting systems that process, store, or transmit Controlled Unclassified Information (CUI).
Roles and responsibilities associated with system administration, security management, and operational use are defined and assigned to different individuals where feasible. Administrative and privileged functions are restricted to designated accounts and are not performed using standard user accounts.
Users who perform daily operational activities do not routinely use privileged accounts. Privileged access is granted only to individuals with a documented need and is limited to the minimum set of functions required to perform assigned administrative or security responsibilities.
Where staffing limitations prevent full separation of duties, the organization implements compensating controls such as increased oversight, logging, and management review of privileged activities.
Objective Responses
AC.4.008 β Duties are separated
Duties associated with system administration, security functions, and operational use are assigned to separate roles to the extent feasible, and privileged activities are restricted to authorized personnel.
Evidence References
Evidence supporting this control includes role and responsibility documentation, privileged account listings, system access records, and audit logs demonstrating use of separate accounts for administrative and non-administrative activities.
Continuous Monitoring
Privileged roles and access assignments are reviewed at least quarterly and upon personnel or role changes to ensure continued separation of duties.
Common Findings
- Administrative accounts used for routine user activities
- Privileged access granted without documented justification
- Lack of oversight or review of privileged actions