🚨 CMMC Phase One started November 10! Here's everything you need to know →
time server

NIST SP 800-171 Separation of Duties Requirements

What does “Separation of Duties” mean and what are the associated NIST SP 800-171 requirements?

Omer Kaan Aslim
December 06, 2021
1 min read
Share:

Schedule Your Free Compliance Consultation

Feeling overwhelmed by compliance requirements? Not sure where to start? Get expert guidance tailored to your specific needs in just 15 minutes.

Personalized Compliance Roadmap
Expert Answers to Your Questions
No Obligation, 100% Free

Limited spots available!

What is “Separation of Duty” (SOD)?

According to the NIST glossary, separation of duty “refers to the principle that no user should be given enough privileges to misuse the system on their own.” Here is an example: members of the IT group are not permitted to create user accounts for personnel unless instructed to do so by human resources. Another example is requiring that IT management provides written approval for proposed changes to firewall rules before they are implemented by a technician. Here is another example, before a server has patches installed by a technician, written approval is required from IT management.
The goal behind the separation of duties is to prevent one individual from being able to commit fraud or cause damage.

NIST SP 800-171 Separation of Duties Requirement

NIST SP 800-171 security control 3.1.4 states “Separate the duties of individuals to reduce the risk of malevolent activity without collusion.”
To meet this requirement you need to ensure that:
  • The duties of individuals requiring separation are defined.
  • Responsibilities for duties that require separation are assigned to separateindividuals.
  • Access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.
We have a system access authorizations document template that can be downloaded from the Compliance Accelerator application that you can use to meet NIST SP 800-171 documentation related requirements. Here is a sample of the document.
 

Quick & Simple

Discover Our Cybersecurity Compliance Solutions:

Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you

CMMC Level 1 Compliance App

CMMC Level 1 Compliance

Become compliant, provide compliance services, or verify partner compliance with CMMC Level 1 Basic Safeguarding of Covered Contractor Information Systems requirements.
Learn More
NIST SP 800-171 & CMMC Level 2 Compliance App

NIST SP 800-171 & CMMC Level 2 Compliance

Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC Level 2 requirements.
Learn More
HIPAA Compliance App

HIPAA Compliance

Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
Learn More
ISO 27001 Compliance App

ISO 27001 Compliance

Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.
Learn More
FAR 52.204-21 Compliance App

FAR 52.204-21 Compliance

Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
Learn More
 
Hello! How can we help today? 😃

Chat with Lakeridge

We typically reply within minutes