NIST 800-53 r5 · Controls catalogue · Family AC
AC-1Policy and Procedures
Develop, document, and disseminate to {{ insert: param, ac-1_prm_1 }}: {{ insert: param, ac-01_odp.03 }} access control policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation of the access control policy and the associated access controls; Designate an {{ insert: param, ac-01_odp.04 }} to manage the development, documentation, and dissemination of the access control policy and procedures; and Review and update the current access control: Policy {{ insert: param, ac-01_odp.05 }} and following {{ insert: param, ac-01_odp.06 }} ; and Procedures {{ insert: param, ac-01_odp.07 }} and following {{ insert: param, ac-01_odp.08 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (10)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Requiring an access control policy ensures authorization checks are defined and applied for critical functions. |
CWE-284 | Improper Access Control | 4,832 | The access control policy and procedures directly mandate and enforce proper access control mechanisms across the organization. |
CWE-863 | Incorrect Authorization | 3,234 | Periodic review and update of procedures reduces incorrect authorization implementations over time. |
CWE-269 | Improper Privilege Management | 2,907 | Policy addresses roles, responsibilities, and privilege management to prevent improper privilege assignments. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Procedures support proper permission assignment for critical resources through documented controls. |
CWE-276 | Incorrect Default Permissions | 1,757 | Access control policy can specify and enforce secure default permissions for resources. |
CWE-285 | Improper Authorization | 1,230 | Documented procedures facilitate correct implementation and ongoing management of authorization decisions. |
CWE-266 | Incorrect Privilege Assignment | 826 | Designation of a manager and policy dissemination ensures privileges are assigned according to defined roles. |
CWE-250 | Execution with Unnecessary Privileges | 305 | Policy promotes least privilege by defining necessary privileges and management commitment to them. |
CWE-272 | Least Privilege Violation | 25 | Review and update requirements help detect and correct least privilege violations in practice. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||