AC-5: Separation of Duties

Control Family:

Access Control

CSF v1.1 References:

PF v1.0 References:


  • Low


  • Moderate
    • AC-5
  • High
    • AC-5
  • Privacy


Previous Version:

Control Statement

  1. Identify and document [Assignment: organization-defined duties of individuals requiring separation]; and
  2. Define system access authorizations to support separation of duties.

Supplemental Guidance

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in AC-2, access control mechanisms in AC-3, and identity management activities in IA-2, IA-4, and IA-12.