NIST SP 800-171
Control 3.1.4
Separation of Duties
CMMC-RP Certified Team
24+ Years Experience
2,500+ Clients Served
Official Requirement
Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
What This Means in Plain English
No single person should have enough access to compromise your systems alone. Critical tasks should require multiple people so that one rogue employee cannot cause catastrophic damage without someone else noticing.
How Petronella Implements This Control
Petronella Technology Group implements this control through:
- Distinct administrative roles in Microsoft Entra ID separating security admin, global admin, and user admin functions
- Dual-approval workflows for privileged operations such as firewall rule changes and account provisioning
- Separation of development, testing, and production environments with different access groups
- ComplianceArmor role-mapping documentation showing duty separation for all critical functions
- Financial transaction controls requiring separate individuals for approval and execution
Assessment Guidance
Assessors will review organizational charts and role assignments for separation, verify that no single individual can complete critical processes alone, test that system configurations enforce duty separation, and review approval workflows for privileged actions.
Common Implementation Gaps
- IT administrator also serving as the security auditor
- Single person controlling both user provisioning and access approval
- No documented duty separation matrix
- Small teams where one person has all system privileges
- Lack of compensating controls when true separation is infeasible
Cross-Framework Mapping
| Framework | Mapped Controls |
|---|---|
| NIST SP 800-53 | AC-5 |
| PCI DSS | Req 6.4.2 - Separation of duties between development and production |
Need Help Implementing 3.1.4?
Our CMMC-RP certified team can assess your current compliance posture and build a remediation plan.
Schedule a Compliance Assessment