time server

NIST SP 800-171 Separation of Duties Requirements

What does “Separation of Duties” mean and what are the associated NIST SP 800-171 requirements?

Join our newsletter:

What is “Separation of Duty” (SOD)?

According to the NIST glossary, separation of duty “refers to the principle that no user should be given enough privileges to misuse the system on their own.” Here is an example: members of the IT group are not permitted to create user accounts for personnel unless instructed to do so by human resources. Another example is requiring that IT management provides written approval for proposed changes to firewall rules before they are implemented by a technician. Here is another example, before a server has patches installed by a technician, written approval is required from IT management.
The goal behind the separation of duties is to prevent one individual from being able to commit fraud or cause damage.

NIST SP 800-171 Separation of Duties Requirement

NIST SP 800-171 security control 3.1.4 states “Separate the duties of individuals to reduce the risk of malevolent activity without collusion.”
To meet this requirement you need to ensure that:
  • The duties of individuals requiring separation are defined.
  • Responsibilities for duties that require separation are assigned to separateindividuals.
  • Access privileges that enable individuals to exercise the duties that require separation are granted to separate individuals.
We have a system access authorizations document template that can be downloaded from the Compliance Accelerator application that you can use to meet NIST SP 800-171 documentation related requirements. Here is a sample of the document.

Discover Our NIST SP 800-171 & CMMC 2.0 Solutions:


Compliance Accelerator

Power through compliance. Meet and maintain your NIST SP 800-171 & CMMC 2.0 compliance requirements.

Quantum Assessor

Transform your business. Create new revenue streams and provide scalability for your NIST SP 800-171 and CMMC 2.0 services.

Supply Chain Verifier

Trust is everything. Verify, monitor, and support subcontactor compliance.