CMMC Practice SC.L2-3.13.3

Role Separation: Separate user functionality from system management functionality.

Monarch ISC Guidance

The organization must have a cohesive plan for how it separates user and management functions in a system. The most common way to achieve this is through a more stringent access/authentication control, having specific management systems that are both physically and logically segregated via Access Control Lists (ACLs) on VLANs in infrastructure components. Be sure to deploy separate administrator accounts which are only used for performing administrative tasks, and not day to day activities such as checking emails and browsing the internet.

Discussion From Source

NIST SP 800-171 R2 System management functionality includes functions necessary to administer databases, network components, workstations, or servers, and typically requires privileged user access. The separation of user functionality from system management functionality is physical or logical. Organizations can implement separation of system management functionality from user functionality by using different computers, different central processing units, different instances of operating systems, or different network addresses; virtualization techniques; or combinations of these or other methods, as appropriate. This type of separation includes web administrative interfaces that use separate authentication methods for users of any other system resources. Separation of system and user functionality may include isolating administrative interfaces on different domains and with additional access controls.

References