Separation of Duties Done Right: Decoding NIST 800-171 Control 3.1.4

NIST SP 800-171 control 3.1.4 reads simply enough: *Separate the duties of individuals to reduce the risk of malevolent activity without collusion.* In the field, it is one of the most consistently misimplemented controls in the whole 800-171 catalog — and a recurring finding in CMMC Level 2 gap assessments.

The control is not asking for an org chart with different job titles. It is asking for a design where no single insider — including a trusted administrator — can complete a harmful action and then erase the evidence of it. Pulling that off requires a second human being who does not report to the first and does not share their access.

What "without collusion" actually means

Collusion is a private agreement between two or more people to do something dishonest. The phrase "without collusion" in 3.1.4 is the standard the control is trying to defeat. A well-designed separation of duties forces any malicious action to require at least two cooperating people. If one bad actor can do the deed alone, the control has failed regardless of what the policy document says.

The classic failure mode looks like this: an administrator can create a user account, grant it privileges, and also has full write access to the audit log. On their own, that person can stand up a rogue identity for an outside threat actor and then quietly delete the log entry that recorded it. One person. No partner. No paper trail. That is exactly the scenario 3.1.4 exists to prevent.

The fix is structural. If the audit and logging system is administered by a different person who has no account-creation privileges, the same attack now requires two people who are willing to lie for each other and risk their careers together. That is a much higher bar, and it is the bar the assessor is measuring against.

Why most small contractors quietly fail this

In a typical small defense manufacturer or services firm, the entire IT function is two or three people. Each of them holds domain admin, global admin in Microsoft 365, root on the file server, and unrestricted access to whatever logging or SIEM tooling exists. The team divides *responsibility* informally — "Mike usually handles user accounts, Sara handles backups" — but every one of them retains the *privileges* to do everything.

That arrangement is convenient. It is also a 3.1.4 finding waiting to happen. Splitting responsibility by habit while leaving privileges unified does not satisfy the control. An assessor is going to ask whether a single administrator could, by themselves, perform a malicious action and remove the trace of it. If the answer is yes — and in the all-admins model it almost always is — the control is not implemented.

A model that actually holds up: authorize, implement, audit

The pattern that works in real environments separates three distinct functions and assigns them to people who do not share privileges across them:

• Authorization. Someone outside the IT team decides that an action should happen. For a new user account, that is typically HR or a hiring manager opening a ticket. They have no system privileges to provision the account themselves.
• Implementation. A systems administrator carries out the authorized action — creates the account, assigns the role, configures the access. That administrator does not have write or delete privileges on the logging and monitoring system.
• Monitoring and audit. A separate person — frequently outside IT entirely — reviews the resulting log entries and can verify each privileged action against an authorization record. They do not have privileges to create accounts or change configurations.

With those three roles separated by privilege (not just by job title), a fraudulent account creation now requires the implementer and the auditor to actively cooperate and lie for each other. That is the "without collusion" property the control is asking for.

The monitoring role does not have to be an IT person

A common objection is that small organizations cannot afford a second, dedicated security or audit engineer. They do not need to. The monitoring and audit function can be performed by someone in HR, finance, operations, or compliance, as long as they have read access to the relevant logs, a documented review cadence, and a way to reconcile what they see against authorization records. Many small contractors outsource this role to a managed provider or an RPO for a modest monthly fee, which simultaneously closes the separation-of-duties gap and creates an external paper trail.

How to evidence 3.1.4 for a C3PAO

A policy that says "we separate duties" is not evidence. To support 3.1.4 in a CMMC Level 2 assessment, plan to show:

• A list of privileged roles in each in-scope system, the human beings assigned to each role, and an explicit statement of which roles are mutually exclusive.
• Configuration evidence — group memberships, role assignments, audit log ACLs — that confirms those mutual exclusions are enforced in the system, not just in the policy.
• A documented review cadence for privileged actions, with named owners, and recent review records.
• Tickets or change records that demonstrate the authorize, implement, audit flow in action for real account creations, privilege grants, and configuration changes.

When that bundle is in place, the assessor's interview becomes a short conversation rather than a forensics exercise.

Where to start if you know you are short

Most small contractors get most of the way to 3.1.4 with three moves:

• Strip global admin from anyone who does not need it for a specific, documented task, and use just-in-time elevation for the rest.
• Move audit log administration to a different identity than the one used for day-to-day systems administration, and confirm that the day-to-day admin cannot modify or delete log entries.
• Assign the monitoring and review role to a named person outside the implementation team, even if it is a part-time responsibility, and set a recurring review cadence with a written record.

Those three changes, evidenced cleanly, close most 3.1.4 findings before an assessor ever walks in.

How Maverc helps

Maverc's RPO team works through 3.1.4 — and the rest of the 800-171 control set — as part of structured CMMC Level 2 readiness engagements. If your separation-of-duties model is "everyone in IT can do everything," a scoped gap assessment will show you exactly where the privilege boundaries need to land and how to evidence them for your C3PAO.