FedRAMP Separation of Duties AC-5

Overview:
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties.

Supplemental Guidance:
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions.

Related controls: AC-3, AC-6, PE-3, PE-4, PS-2

Action Items:
1) Define roles based on duties of employees and contractors

2) Document required separation of duties

3) Enforce separation of duties with access control

Related Documents:
1) Access Control Policy

Additional Guidance:
Moderate FedRAMP-Defined Assignment / Selection Parameters
none

Moderate Additional FedRAMP Requirements and Guidance
CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.