3.1.4 — No One Person Runs the Show

The One-Liner

If the same person creates accounts, approves access, and reviews the audit logs, you have a separation problem.

What It Says

Separate the duties of individuals to reduce the risk of malevolent activity without collusion.

What It Actually Means

No single person controls a complete critical process. Split responsibilities:

• The person who requests access isn’t the person who approves it
• The person who writes code isn’t the only one who deploys it
• The person who manages user accounts isn’t the person who reviews the audit trail

For small companies, full separation isn’t always possible. When it’s not, the compensating control is oversight — someone independent reviews the actions of the person wearing multiple hats.

---

Pass or Fail

Your assessor needs a “yes” to every row:

#	Question	What “yes” looks like
1	Are duties requiring separation identified?	Documented list of functions that shouldn’t be combined
2	Are those duties assigned to separate people?	Different individuals handle each side
3	Does the system enforce the separation?	Technical controls, not just org chart separation

---

What to Have Ready on Assessment Day

Documents they’ll review: Access control policy, separation of duties documentation, system security plan, system configuration showing role separations, audit logs

People they’ll talk to: Personnel defining separation of duties, sysadmins, information security staff

Live demos they’ll ask for: “Show me that the person who creates accounts can’t also approve their own access requests.”

---

The Assessor’s Playbook

These are the actual questions. Have answers ready.

• “Which system functions have you identified as requiring separation?”
• “Show me an example of a conflict of interest you’ve addressed.”
• “Can one person both request and approve their own access?”
• “Who reviews the administrator’s actions?”

Real-World Example

A 25-person contractor has a small IT team. The sysadmin manages Active Directory but can’t approve access requests — that requires manager sign-off through a ticketing system. The sysadmin’s own actions are reviewed monthly by the company’s security officer, who has read-only access to the audit logs. The separation isn’t perfect, but it’s documented and compensated.

---

Where Companies Trip Up

The IT person who does everything. One person manages AD, reviews logs, approves access, and configures firewalls. Document compensating controls — like a third party reviewing their actions quarterly.

No documentation. The separation exists informally but isn’t written down. The assessor needs to see it documented.

Separation on paper only. Org chart shows separation but the system doesn’t enforce it — both people have the same admin rights.

---

How to Talk About This

To a CEO or Board

We’ve designed our processes so no single person can approve and execute a critical action alone. Account creation is separated from access approval. Where we can’t fully separate duties in a small team, we have documented oversight controls.

To an Engineering Team

Access requests go through a ticketing workflow with manager approval. Sysadmin actions are logged and reviewed monthly by an independent security officer. Change management requires a separate approver from the implementer.

---

Connected Requirements

Requirement	Why it matters here
3.1.5 — Minimum Necessary	Supports separation by limiting each role’s access
3.1.7 — Log the Admin Work	Logging provides oversight where full separation isn’t possible
3.3.2 — Trace Every Action	Individual accountability supports separation enforcement

---

Implementation

🔒

Step-by-step guides for Microsoft 365, AWS, Azure, and GCP are available to Ancitus clients.

Start a conversation →

---

CMMC Practice ID: AC.L2-3.1.4 | SPRS Weight: 1 point | POA&M Eligible: Yes