1. Home
  2. FedRAMP
  3. AC-5

BRACKETOLOGY | FEDRAMP

AC-5: SEPARATION OF DUTIES

  • FedRAMP Baseline Membership AC-5:
  • MODERATE
  • HIGH

FedRAMP Bracketology

Use the FedRAMP Control Membership information above to determine if a control or control enhancement is required for each Impact Baseline — LOW, MODERATE, or HIGH

Click on the panel below each control or control enhancement to review the FedRAMP Impact Baseline-specific control configuration requirements for each of the [BRACKETS] in each control and/or control enhancement.

Review and use Additional Requirements and Guidance to build FedRAMP-compliant controls for your risk-based cybersecurity program.

To change the baseline view in the panel, click on LOW, MODERATE, or HIGH when the panel is open

Panels only appear where there are [BRACKETS] in the control or enhancement or where there is FedRAMP-specific requirements or guidance available.

The organization:

    • a. Separates [Assignment: organization-defined duties of individuals];
    • b. Documents separation of duties of individuals; andSeparates [Assignment: organization-defined duties of individuals];
    • c. Defines information system access authorizations to support separation of duties.

Click Low | Moderate | High below to see FedRAMP control configuration information. It's in BOLD.

There are no FedRAMP-specific requirements if this control is used for a Low Impact system.

There are no FedRAMP-specific requirements if this control is used for a Moderate Impact system.

FedRAMP GUIDANCE:

CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.

There are no FedRAMP-specific requirements if this control is used for a High Impact system.

FedRAMP GUIDANCE:

CSPs have the option to provide a separation of duties matrix as an attachment to the SSP.


SUPPLEMENTAL GUIDANCE

Separation of duties addresses the potential for abuse of authorized privileges and helps to reduce the risk of malevolent activity without collusion. Separation of duties includes, for example: (i) dividing mission functions and information system support functions among different individuals and/or roles; (ii) conducting information system support functions with different individuals (e.g., system management, programming, configuration management, quality assurance and testing, and network security); and (iii) ensuring security personnel administering access control functions do not also administer audit functions.

CONTROL ENHANCEMENTS

NO CONTROL ENHANCEMENTS

REFERENCES:

  • NO REFERENCES