What must the OSC enforce according to CMMC practice AC.L2-3.1.3 regarding separation of duties?

The requirement under CMMC practice AC.L2-3.1.3 focuses on the need for separation of duties to minimize the risk of inappropriate actions and enhance security controls. By assigning conflicting duties to different individuals, organizations can reduce the likelihood of fraud, errors, or misuse of sensitive data, as no single person has control over all aspects of any critical function. This approach leverages checks and balances within organizational processes.

In this context, when duties requiring separation are assigned to different individuals, it supports a robust security posture, ensuring that no conflicting functions—such as accessing and approving transactions—are held by the same person. This practice is essential in safeguarding sensitive information and preserving the integrity of operations.

In contrast, ensuring that all roles have the same access privileges, executing conflicting functions by the same individual, or disregarding the need for specific authorization for security functions would all compromise security and increase vulnerabilities within the information system. Hence, the emphasis on separating duties is a crucial aspect of achieving compliance with CMMC standards.