AC.L2-3.1.4 — Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
What this control requires
Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
Source: CMMC L2 v2.13 AC.L2-3.1.4 / NIST SP 800-171 R2 3.1.4 (official control text).
Why this matters
Separation of duties prevents any single person from controlling all phases of a critical process, reducing the risk of fraud, data theft, or sabotage. By dividing responsibilities—such as who approves access, who provisions accounts, who reviews audit logs, and who manages backups—the organization creates natural checkpoints. An insider threat must now recruit accomplices to bypass controls, making malicious activity exponentially harder. This principle protects financial integrity, data confidentiality, and system availability by eliminating single points of failure in human access and oversight.
What evidence assessors expect
Assessors typically look for: CSV export, PDF, screenshot, signed letter. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.
Related controls
See your live posture on AC.L2-3.1.4.
FORCE shows where you stand on this control and walks you through closing it.
Start a free trial tenant →