Back to Control Explorer



Control Acronym



Access Control

CMMC Level


800-171 Control #


CMMC Description

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

CMMC Clarification

A company must avoid situations in which conflicts of interest or even lack of knowledge can create security problems. This can be accomplished by splitting important duties and tasks between employees in order to reduce intentional or unintentional execution of malicious activities, when those involved are not colluding. This allows the organization to minimize employees' fraud, abuse and errors. Summarizing, no one person should be in charge of an entire critical task from beginning to end. Example You are responsible for designing and implementing security solutions in your organization. The same person should not test security mechanisms, conduct security audits, and release software for delivery. Policy is created and implemented so that the development team does not do testing and the test team does not do development. This eliminates your ability to intentionally or unintentionally develop a weak security solution that is not identified through testing or is released prematurely before unit, integration, regression, operational and security testing are complete.

800-171 Description

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

800-171 Discussion

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties.

Other Source Discussion


CIS Control References

NIST 800-53 Control Ref.

NIST SP 800-53 Rev 4 AC-5

CMMC Derived

NIST CSF Control References

NIST 800-171 References

NIST SP 800-171 Rev 1 3.1.4

Applicable FAR Clause

NIST CSF Control Reference


CERT RMM Reference

Modification of NIST 800-171B Reference

NIST 800-171B Reference

UK NCSCCyber Reference

AS ACSC Reference


Assessment Sub-Criteria 1

AC.3.017.[a] the duties of individuals requiring separation are defined;

Assessment Sub-Criteria 2

AC.3.017.[b] responsibilities for duties that require separation are assigned to separate individuals; and

Assessment Sub-Criteria 3

AC.3.017.[c] access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.

Assessment Sub-Criteria 4

Assessment Sub-Criteria 5

Assessment Sub-Criteria 6

Assessment Sub-Criteria 7

Assessment Sub-Criteria 8

Assessment Sub-Criteria 9

Assessment Sub-Criteria 10

Assessment Sub-Criteria 11

Assessment Sub-Criteria 12

Assessment Sub-Criteria 13

Assessment Sub-Criteria 14

Assessment Sub-Criteria 15