AC.L2-3.1.4 · NIST SP 800-171 3.1.4

Separation Of Duties

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

1 point if not metPOA&M eligible3 assessment objectives

What an assessor scores, the objectives

AC.L2-3.1.4 is met only when every one of these 3 objectives, from NIST SP 800-171A, is satisfied. A single missed objective makes the whole requirement not met.

  • a.the duties of individuals requiring separation are defined
  • b.responsibilities for duties that require separation are assigned to separate individuals
  • c.access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals

How a C3PAO checks it

NIST SP 800-171A defines three assessment methods. For AC.L2-3.1.4, an assessor uses these:

Examine

Access control policy; procedures addressing divisions of responsibility and separation of duties; system security plan; system configuration settings and associated documentation; list of divisions of responsibility and separation of duties; system access authorizations; system audit logs and records; other relevant documents or records

Interview

Personnel with responsibilities for defining divisions of responsibility and separation of duties; personnel with information security responsibilities; system or network administrators

Test

Mechanisms implementing separation of duties policy

What it means, in context

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission functions and system support functions among different indiv iduals or roles; conducting system support functions with different individuals (e.g., configuration management, quality assurance and testing, system management, programming, and network security); and ensuring that security personnel administering access control functions do not also administer audit functions . Because separation of duty violations can span systems and application domains, organizations consider the entirety of organizational systems and system components when developing policy on separation of duties.

No one person should be in charge of an entire critical task from beginning to end . Documenting and dividing elements of important duties and tasks between employees reduces intentional or unintentional execution of malicious activities. Example 1 You are responsible for the management of several key systems within your organization including some that process CUI . You assign the task of reviewing the system logs to two different people. This way, no one person is solely responsible for the execution of this critical security function [c]. Example 2 Y ou are a system administrator. Human Resources notifies you of a new hire, and you create an account with general privileges, but you are not allowed to grant access to systems that contain CUI [a,b]. The program manager contacts the team in your organization that has system administration authority over the CUI systems and informs them which CUI the new hire will need to access. Subsequently, a second system administrator grants access privileges to the new hire [c]. Potential Assessment Considerations • Does system documentation identify the system functions or processes that require separation of duties (e.g., function combinations that represent a conflict of interest o r an over-allocation of security privilege for one individual) [a]?

What passing evidence looks like

A short separation of duties note naming the duties you separate (or the compensating review where headcount makes separation impossible) and permissions screenshots showing different people hold the separated roles.

Common ways contractors fail AC.L2-3.1.4

  • !Tiny shops cannot fully separate. The honest answer is to name the conflict (the owner both administers and approves) and the compensating control (quarterly access review, audit logging), not to pretend.
  • !Separation must exist in the system, not just on paper: if the same account can do both halves, objective [c] fails.

The step by step walkthrough for Microsoft 365 GCC High, Google Workspace, and on premises setups, plus the exact evidence to capture, lives inside the Level 2 Accelerator.

Prove AC.L2-3.1.4, and the other 109

The Level 2 Accelerator walks all 110 requirements with you, generates your SSP, POA&M, and Audit Room from real evidence, includes the full Level 1 platform, and puts a credentialed officer alongside you for 180 days. Filed in 180 days, or we work free until you are.

No credit card. Phase 2 begins Nov 10, 2026, when applicable DoD solicitations start requiring a current Level 2 status to win the award.

AC.L2-3.1.4 questions, answered

How many points is CMMC requirement AC.L2-3.1.4 worth?+

AC.L2-3.1.4 is worth 1 point in the CMMC Level 2 score under 32 CFR 170.24. If it is not met, you lose 1 from your total of 110.

Can AC.L2-3.1.4 be placed on a POA&M?+

Yes. A gap on AC.L2-3.1.4 can be deferred to a Plan of Action and Milestones, provided your overall score is 88 or better and the item closes within 180 days.

What family does AC.L2-3.1.4 belong to?+

AC.L2-3.1.4 is in the Access Control (AC) family, one of the 14 families of NIST SP 800-171 that make up CMMC Level 2.

Key references
  • NIST SP 800-171 Rev. 2 3.1.4