03.01.04 — (a) Identify the duties of individuals requiring separation. (b) Define system access authorizations to support separation of duties.

What this control requires

(a) Identify the duties of individuals requiring separation. (b) Define system access authorizations to support separation of duties.

Source: NIST SP 800-171 R3 §03.01.04 (official control text).

Why this matters

Separation of duties prevents any single individual from having enough control to execute a malicious action undetected—whether that's embezzling funds, manipulating data, or sabotaging systems. By requiring multiple people to complete sensitive processes, organizations create natural checkpoints that force collusion for abuse to succeed. This control protects against insider threats, reduces fraud risk, and ensures accountability. For example, the person who approves new user accounts should not be the same person who creates them; the administrator who manages security logs should not be the same person who can delete them. Without separation of duties, a rogue employee or compromised credential can cause catastrophic damage with no oversight.

What evidence assessors expect

Assessors typically look for: PDF, CSV export, screenshot. FORCE coaches you through the exact implementation steps and captures each artifact in-platform.

Related controls