Embedded Files
This page is classified as INTERNAL.
NIST 800-53 (r4) Control:
The organization:
a. Separates [Assignment: organization-defined duties of individuals];
b. Documents separation of duties of individuals; and
c. Defines information system access authorizations to support separation of duties.
AC-5 Additional FedRAMP Requirements and Guidance: CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.
NIST 800-53 (r4) Supplemental Guidance:
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions. Related controls: AC-3, AC-6, PE-3, PE-4, PS-2.
References: None.
NIST 800-53 (r5) Discussion:
Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes dividing mission or business functions and support functions among different individuals or roles, conducting system support functions with different individuals, and ensuring that security personnel who administer access control functions do not also administer audit functions. Because separation of duty violations can span systems and application domains, organizations consider the entirety of systems and system components when developing policy on separation of duties. Separation of duties is enforced through the account management activities in AC-2, access control mechanisms in AC-3, and identity management activities in IA-2, IA-4, and IA-12.
38North Guidance:
Meets Minimum Requirement:
Separates organization-defined duties of individuals.
Best Practice:
Tickets being leveraged to document the approval process, creation of role-based accounts, and enabling role-based accounts for separation of duties so that all personnel in the FedRAMP environment do not have the same roles/permissions.
Clearly defined roles and groups only permitting privileged functions to be performed based on the role personnel are assigned to. Ensure privilege creep is not able to be performed.
Ensure that administrative personnel also do not have security responsibilities that would allow them to 'cover' their tracks, thus preventing non-repudiation.
Unofficial FedRAMP Guidance: None
Assessment Evidence:
Tickets demonstrating authorization to create role-based accounts.
Active Directory, LDAP or whatever access management solution is being utilized account listing of all users and their role-based schema.
Separation of Duties Matrix.
CSP Implementation Tips:
Amazon Web Services (AWS): TBD
Microsoft Azure: TBD
Google Cloud Platform: TBD
Page updated
Report abuse