GRCWatch
Sign inStart free trial

NIST 800-171 Control 3.13.3: Security Function Separation

Control 3.13.3 requires organizations to isolate user functionality from system management capabilities—a critical control that prevents privilege escalation and unauthorized system changes. For SMBs handling sensitive data, this separation is foundational to maintaining access control integrity and audit trails.

What this means

Security function separation means restricting system administrators and privileged users to management-only accounts, preventing them from performing standard user operations under elevated privileges. Users should not have simultaneous access to both regular user functions and administrative capabilities on the same account or session. This architectural principle reduces the attack surface by ensuring that day-to-day user activities cannot inadvertently or maliciously trigger system-level changes.

How to comply

  1. 1.Create distinct user and administrator account types with separate credentials
  2. 2.Implement role-based access control (RBAC) that segregates user and admin roles
  3. 3.Enforce multi-factor authentication for all privileged administrative accounts
  4. 4.Configure systems to prevent simultaneous login with user and admin credentials
  5. 5.Disable direct administrative access to standard user workstations and applications
  6. 6.Log and monitor all administrative function usage separately from user activity
  7. 7.Require administrators to use non-privileged accounts for routine work tasks

Evidence auditors look for

  • Active Directory or IAM configuration showing separate user and admin groups
  • Access control policies documenting role separation requirements
  • Audit logs showing privileged sessions distinct from user sessions
  • Approved exception list for accounts requiring dual-role access (with business justification)
  • Security baseline configurations restricting admin rights on user endpoints
  • System access reports demonstrating enforcement of segregated authentication
  • Change management records showing admin functions locked to privileged accounts

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates role separation verification by mapping user accounts to assigned roles and flagging accounts with overlapping user-admin permissions in real-time.

See how GRCWatch handles this control automatically

Start free trial

Related controls

NIST 800-171 3.1.1 — Authorized AccessNIST 800-171 3.1.2 — System BoundariesNIST 800-171 3.2.1 — System Access AuditNIST 800-171 3.13.1 — Least Privilege