NIST 800-53 REV 5 • ACCESS CONTROL

AC-3(2)Dual Authorization

Enforce dual authorization for {{ insert: param, ac-03.02_odp }}.

CMMC Practice Mapping

No direct CMMC mapping

NIST 800-171 Mapping

No direct NIST 800-171 mapping

Related Controls

Supplemental Guidance

Dual authorization, also known as two-person control, reduces risk related to insider threats. Dual authorization mechanisms require the approval of two authorized individuals to execute. To reduce the risk of collusion, organizations consider rotating dual authorization duties. Organizations consider the risk associated with implementing dual authorization mechanisms when immediate responses are necessary to ensure public and environmental safety.

Practitioner Notes

Dual authorization means certain critical actions require two people to approve or execute. This prevents a single compromised or malicious insider from causing major damage on their own.

Example 1: In CyberArk, configure dual-control workflows for accessing the domain admin password. One person requests the checkout, and a second person (the approver) must authorize it before the credential is revealed. All actions are logged with timestamps.

Example 2: In Azure DevOps, require at least two reviewers to approve any pull request that touches infrastructure-as-code files (Terraform, ARM templates). Add a branch policy under Repos → Branches → Branch Policies requiring a minimum of 2 reviewers with no self-approval allowed.

More Access Control Controls

AC-1 Policy and Procedures AC-2 Account Management AC-2(1) Automated System Account Management AC-2(2) Automated Temporary and Emergency Account Management