AC.L2-3.1.4 requires organizations to define which job functions and system responsibilities must be divided among different individuals to prevent a single person from having unchecked authority over a critical process. Grounded in NIST SP 800-171 Rev 2 requirement 3.1.4, the practice mandates that identified duties are actually separated in practice and that distinct system accounts are established to enforce those separations technically. The goal is to eliminate single points of failure in critical workflows — such as a single user who can both approve purchases and issue payments — by requiring at least two individuals to complete a sensitive action. Separation of duties is a preventive control that forces collusion for abuse, raising the cost and likelihood of detection for insider threats. Organizations must document which roles are separated, enforce that separation through access control policy, and provision system accounts that reflect the defined boundaries.
Where it stops · what it isn't
- —This practice does not govern physical access separation; physical protection controls under PE domain address facility and hardware access segregation.
- —AC.L2-3.1.4 does not address least privilege assignment (that is covered by AC.L2-3.1.3); separation of duties is about dividing authority across people, not minimizing permissions for a single account.
- —This practice does not require two-person integrity for every task — only for duties the organization defines as requiring separation based on risk of malevolent activity.
- —Separation of duties does not replace audit logging; AU controls must independently capture actions taken by each separated role to provide accountability.
- —This practice does not specify how many roles must be separated; the organization defines the scope based on its CUI workflows and risk posture.
Connected concepts in the graph
Every cubelet sits in a knowledge graph. Here's what this one connects to.