SC.L2-3.13.3: Role Separation in CMMC Level 2
Role separation is a foundational access control principle that prevents privileged users from performing routine tasks with elevated permissions. Under CMMC Level 2 control SC.L2-3.13.3, you must ensure user functionality remains separate from system management functionality to reduce risk of unauthorized changes and privilege creep. This control limits exposure by enforcing least privilege at the function level.
What this means
Role separation means creating distinct user accounts and permissions so that employees cannot use administrative or system management access to perform everyday work tasks. A system administrator should have a separate user account for routine email, file access, and standard business functions—never performing daily work with admin credentials. This principle prevents accidental or intentional misuse of elevated privileges and makes security monitoring more effective by creating clear audit trails for each role type.
How to comply
- 1.Audit all user accounts and identify which employees have system management or administrative access
- 2.Create separate user accounts for each individual—one for standard business functions and one (if needed) for administrative duties
- 3.Configure role-based access controls (RBAC) so permissions align strictly with job responsibilities
- 4.Disable or restrict administrative accounts from being used for routine email, web browsing, or file access
- 5.Implement technical controls (like sudo restrictions or UAC policies) to enforce separation at the system level
- 6.Document role definitions, permission assignments, and the business justification for each administrative role
- 7.Train staff on the requirement to use appropriate accounts for different types of work
- 8.Periodically review and recertify that role assignments remain appropriate as employees change responsibilities
Evidence auditors look for
- User account listing showing separate standard and administrative accounts per employee
- Access control matrix mapping user accounts to system functions and permission levels
- Screenshots of RBAC configuration (Active Directory groups, sudo rules, firewall policies) enforcing separation
- System logs and audit reports showing administrative activities correlate only to administrative accounts
- Policy documentation defining role types and account naming conventions
- Permission review reports and certification records from the past 12 months
- Configuration evidence that administrative accounts are restricted from running non-privileged applications
- Training records confirming staff awareness of role separation requirements
Frequently asked questions
When will FAQs be available?
The FAQ for this control is currently being prepared.
GRCWatch automatically maps your user accounts and permissions across systems, identifies role violations and over-privileged accounts, and tracks compliance with SC.L2-3.13.3 through continuous monitoring—eliminating manual audits and permission creep.
See how GRCWatch handles this control automatically
Start free trial