Reference: CMMC 2.11
Family: AC
Level Introduced: 2
Title: Separation of Duties
Practice:
Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
CMMC Clarification:
A company must avoid situations in which conflicts of interest or even lack of knowledge can create security problems. This can be accomplished by splitting important duties and tasks between employees in order to reduce intentional or unintentional execution of malicious activities, when those involved are not colluding. This allows the organization to minimize employees' fraud, abuse and errors. Summarizing, no one person should be in charge of an
entire critical task from beginning to end.
Example
You are responsible for designing and implementing security solutions in your organization. The same person should not test security mechanisms, conduct security audits, and release software for delivery. Policy is created and implemented so that the development team does not do testing and the test team does not do development. This eliminates your ability to intentionally or unintentionally develop a weak security solution that is not identified through testing or is released prematurely before unit, integration, regression, operational
and security testing are complete.
Implementation Strategies
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-171 Requirements (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.
NIST 800-53 Controls (1)
This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.