CMMC v2.11 Practices

AC.L2-3.1.4  

Reference: CMMC v2.11

Family: AC

Level Introduced: 2

Title: Separation of Duties

Practice:
Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

Further Discussion:
No one person should be in charge of an entire critical task from beginning to end. Documenting and dividing elements of important duties and tasks between employees reduces intentional or unintentional execution of malicious activities.

Example 1
You are responsible for the management of several key systems within your organization including some that process CUI. You assign the task of reviewing the system logs to two different people. This way, no one person is solely responsible for the execution of this critical security function [c].

Example 2
You are a system administrator. Human Resources notifies you of a new hire, and you create an account with general privileges, but you are not allowed to grant access to systems that contain CUI [a,b]. The program manager contacts the team in your organization that has system administration authority over the CUI systems and informs them which CUI the new hire will need to access. Subsequently, a second system administrator grants access privileges to the new hire [c].

Potential Assessment Considerations
• Does system documentation identify the system functions or processes that require separation of duties (e.g., function combinations that represent a conflict of interest or an over-allocation of security privilege for one individual) [a]?

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

This is for registered users only. Please sign up for a free account, or Login, to see complete cross references to other standards and frameworks.

Source: CMMC v2.11