Access Control 3.1.4 (3.1.4)

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

Get Full Guidance

What Is This CMMC Control?

This control requires organizations to divide critical security and system functions among different people to prevent any single person from having too much power or ability to cause harm. The goal is to make it harder for someone to abuse their access or privileges without needing help from others, which naturally creates accountability and oversight.

Control Intent

Prevent insider threats and abuse of privileged access by ensuring no single individual has complete control over critical security functions or can perform actions that could compromise CUI without detection or collusion with others.

Who This Control Applies To

  • Organizations with multiple personnel performing IT or security functions
  • Systems where privileged access could enable unauthorized disclosure, modification, or destruction of CUI
  • Environments where administrative functions like user provisioning, access control, audit review, and system configuration are performed
  • Any organization with personnel who have elevated privileges or administrative access to CUI systems

Not Applicable When

  • Single-person IT shops where one individual must perform all functions (requires compensating controls and enhanced monitoring)
  • Fully outsourced IT environments where the service provider implements separation of duties (must be verified in contracts and assessments)
  • Automated systems with no human administrative intervention (rare and must be carefully scoped)

Key Objectives

  • 1Divide critical mission and system support functions among different individuals or roles to prevent concentration of power
  • 2Ensure security personnel performing access control functions are separate from those performing audit and monitoring functions
  • 3Reduce the risk of malevolent insider activity by requiring collusion between multiple individuals to successfully compromise security controls

Sample Self-Assessment Questions (Partial)

How many people are involved in managing your IT systems and security?

Does the same person who creates user accounts also review security logs?

Implementation Approaches (High-Level)

Role-Based Separation with Documented Assignments

Formal assignment of security and administrative functions to different individuals with documented role definitions and access matrices showing the division of duties.

Workflow-Based Separation with Approval Chains

Implementation of multi-step approval workflows that enforce separation by requiring different individuals to perform request, approval, and implementation steps for critical security functions.

Compensating Controls for Limited Staff Environments

When true separation of duties is not possible due to limited personnel, implement enhanced monitoring, logging, and periodic independent review as compensating controls.

Segregation Through Privileged Access Management (PAM)

Use of dedicated PAM solutions to enforce separation by controlling, monitoring, and auditing privileged access with independent oversight and session recording.

Evidence & Assessment Notes

Expected Evidence

Organizations should maintain documentation and evidence demonstrating compliance with this control. This may include policy documentation, configuration records, audit logs, access reviews, and other relevant artifacts that show how the control is implemented and maintained.

Plan of Action & Milestones (POA&M)

If separation of duties cannot be immediately implemented due to limited staff, document this as a POA&M with specific compensating controls (enhanced logging, external review, etc.) and a timeline for achieving full separation as the organization grows For single-person IT shops, POA&M should identify the specific compensating controls being implemented and when they will be reviewed for effectiveness (e.g., quarterly external review of administrative actions) If separation exists for some functions but not others, POA&M should specifically identify which functions lack separation and the plan to address each gap When implementing new systems or applications, include separation of duties requirements in the implementation plan to avoid creating new gaps POA&Ms should include specific milestones such as: documenting role definitions (30 days), implementing workflow approvals (60 days), configuring enhanced logging (90 days), conducting first independent review (120 days) For organizations planning to hire additional IT staff, POA&M should tie separation of duties improvements to hiring milestones If using MSP or external support, POA&M should address how oversight and independent review of MSP activities will be implemented Avoid vague POA&M commitments like 'will implement separation of duties' - be specific about which functions will be separated and how

Related CMMC Controls

3.1.23.1.53.3.13.3.23.3.33.3.83.4.13.4.33.5.13.5.2

Frequently Asked Questions

What if I only have one IT person - can I still meet this control?

Yes, but you must implement compensating controls. Document that true separation is not possible due to limited staff, then implement enhanced monitoring such as comprehensive audit logging sent to an external location the IT person cannot modify, periodic independent review of all administrative actions by management or an external party, and automated alerts for critical privileged actions. This must be documented as a known risk with specific compensating controls identified.

Does this control mean I need to hire more IT staff?

Not necessarily. While having multiple IT staff makes separation easier to achieve, small organizations can meet this control through compensating controls like enhanced logging, external review, and managed service provider oversight. However, as your organization grows and handles more CUI, you should plan to implement more robust separation of duties through additional personnel or more sophisticated technical controls.

Can the same person approve and implement an access request if they document it?

No, documentation alone does not satisfy separation of duties. The control requires different individuals to perform approval and implementation functions for critical security processes. If you cannot achieve this due to limited staff, you must implement compensating controls such as enhanced monitoring and periodic independent review, and document this as a risk acceptance with your compensating control strategy.

How is this control verified during a CMMC assessment?

Assessors will review your role assignments and access control configurations to verify that critical functions are separated. They will examine audit logs and workflow records to confirm that access requests, security configuration changes, and other critical processes involve multiple different individuals. They will also verify that personnel with administrative privileges cannot modify or delete the audit logs that record their own activities. If you have limited staff, assessors will verify that documented compensating controls are actually implemented and effective.

What are the most common mistakes organizations make with this control?

The most common failures are: having a single IT administrator with complete control over all functions including audit logs, not implementing or maintaining compensating controls when true separation is not possible, allowing the same person to both approve and implement access requests, and not documenting role assignments or separation of duties policies. Organizations also frequently fail to extend separation of duties to cloud services and applications, focusing only on on-premises systems.

Does separation of duties apply to our cloud services like Microsoft 365 or AWS?

Yes, absolutely. You must demonstrate separation of duties in how you manage and administer your cloud services. For example, in Microsoft 365, you should not have the same person assigned as both Global Administrator and Compliance Administrator. In AWS, you should separate roles for IAM administration, security configuration, and audit log review. The fact that the cloud provider has internal separation does not exempt you from implementing separation in how you use and manage the service.

How ConformatIQ Helps With CMMC Readiness

ConformatIQ is an AI-assisted CMMC readiness platform designed to help organizations prepare for assessments more efficiently. The platform supports document generation such as SSPs and POA&Ms, guided readiness workflows, centralized evidence tracking, and interview preparation for assessments.

Learn More About ConformatIQ

Ready to Get Full Guidance?

Access complete implementation details, detailed assessment questions, evidence requirements, and expert guidance for this control.

Request Full Guidance

Information sourced from NIST SP 800-171 Rev. 2. See full disclaimer.