This post provides a practical, actionable step-by-step approach to implement segregation of duties (SoD) to satisfy NIST SP 800-171 Rev.2 and CMMC 2.0 Level 2 control AC.L2-3.1.4, focusing on what to do, how to document it for an assessment, and realistic compensating approaches for small businesses with limited staff.
What AC.L2-3.1.4 Requires (Key objectives)
AC.L2-3.1.4 requires organizations to separate duties of individuals to reduce opportunities for unauthorized or unintentional modification or misuse of organizational assets—essentially preventing one person from having control over multiple conflicting functions. In practical terms for a Compliance Framework implementation this means: identify critical functions, map who performs them, ensure no single person can both request and approve critical changes or transactions, and enforce these separations through policy, technical controls, and monitoring.
Why failing to implement SoD is risky
Not enforcing segregation of duties increases the risk of fraud, misuse of controlled unclassified information (CUI), undetected configuration changes, and data exfiltration. For organizations handling DoD contracts, failure may result in audit findings, loss of contracts, required remediation plans, or even legal/financial penalties. From a technical perspective, over-privileged single accounts create single points of failure and attractive targets for attackers (privilege escalation, lateral movement).
Step-by-step implementation — practical actions
Step 1: Scope assets and processes
Start by scoping systems and processes that handle CUI and high-risk functions (e.g., change management, code deployment, financial approvals, privileged account management). Create an inventory that ties systems to business processes (e.g., "Payroll system (Workday SaaS) — processes payroll entry, approval, and payout"). For Compliance Framework evidence, store the inventory as a CSV or spreadsheet with system owner, data classification, and risk rating.
Step 2: Map roles and create an SoD matrix (small-business example)
List roles and functions, then build a segregation matrix that identifies incompatible duties (e.g., "Create vendor" vs "Approve vendor payment" vs "Reconcile bank statement"). For a small 25-person contractor: if the office manager currently creates vendors and also approves payments, split those tasks by moving approval to the CFO or implement a compensating control — require dual approval via the accounting system and an external monthly reconciliation reviewed by an independent contractor. Document the matrix and publish a short SoD policy (1–2 pages) that auditors will expect to see.
Step 3: Enforce technically — RBAC, IAM, groups, and privileged account controls
Implement role-based access control (RBAC) across identity platforms: Active Directory/Azure AD groups, AWS IAM roles, or SaaS role configuration. Concrete steps: create distinct groups like "Payroll-Processor" and "Payroll-Approver"; apply group-based ACLs to file shares and application roles; enable MFA on all privileged accounts; configure Azure AD Privileged Identity Management or AWS IAM role assumption for time-limited elevation. For Windows environments use tiered admin accounts (workstation account vs dedicated privileged admin account) and restrict admin logon to hardened jump hosts or privileged access workstations (PAWs). For evidence, export group membership reports, IAM role policies, and screenshots showing role assignments.
Step 4: Implement dual control, workflow approvals, and compensating controls
Where true segregation is impossible due to headcount, implement dual-control workflows and compensating technical controls: require two-person approvals in the accounting/ERP system, route change requests through a ticketing system with mandatory approver fields, and configure automatic notifications to managers. Use Privileged Access Management (PAM) or just-in-time (JIT) access to grant temporary elevated rights with session recording. Example: for code deployment, require a pull request reviewed and approved by a second developer and a CI/CD pipeline that disallows pushes by the author alone — record approvals in the ticketing/SCM system as audit evidence.
Step 5: Monitor, log, review, and maintain evidence
Enable detailed logging for identity and access events (Azure AD sign-in logs, AWS CloudTrail, Windows Security logs) and forward to a SIEM or centralized log store. Define retention (practical minimum: 90 days for quick investigations; 1 year+ recommended for audit evidence depending on contract requirements). Establish a quarterly access review process: produce group membership reports, a list of privileged accounts, and reconcile them with the SoD matrix. Keep records of reviews, exception approvals, and training as part of your compliance package.
Compliance tips, best practices, and what assessors expect
Start with high-risk processes (finance, privileged ops, change management) and iterate. Use templates: SoD matrix CSV, template policy, and a checklist of evidence (policies, role definitions, screenshots of IAM, logs, approval tickets, training records). Best practices include automating access provisioning, applying least privilege, implementing MFA everywhere, and using PAM/JIT for small teams. Auditors will look for: documented SoD decisions, technical enforcement screenshots/config exports, exception approvals, and evidence of periodic review and training.
In summary, meeting AC.L2-3.1.4 requires combining policy, role-definition, technical controls, and monitoring into a repeatable program: scope and inventory CUI flows, build a segregation matrix, enforce via RBAC/IAM and approval workflows, monitor access and keep evidence, and apply compensating controls when headcount limits strict separation — all documented and reviewed regularly to satisfy NIST SP 800-171 Rev.2 / CMMC 2.0 Level 2 assessments.
