NIST 800-53 r5 · Controls catalogue · Family AC
AC-11Device Lock
Prevent further access to the system by {{ insert: param, ac-11_odp.01 }} ; and Retain the device lock until the user reestablishes access using established identification and authentication procedures.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (2)
Weaknesses this control addresses (3)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Device lock enforces restricted access until re-authentication, directly reducing unauthorized use of active sessions. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | Requires established identification and authentication to unlock, mitigating missing authentication for continued system access. |
CWE-613 | Insufficient Session Expiration | 606 | Locks the device (typically after inactivity) until re-authentication, addressing insufficient session expiration by preventing indefinite access. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2024-44286 | 1.5 | 7.5 | 0.0009 | good |
CVE-2025-48605 | 1.7 | 8.4 | 0.0000 | good |
CVE-2025-48602 | 1.7 | 8.4 | 0.0000 | good |
CVE-2024-53835 | 1.6 | 7.8 | 0.0001 | partial |
CVE-2024-43764 | 1.6 | 7.8 | 0.0001 | partial |
CVE-2024-44136 | 0.9 | 4.6 | 0.0030 | good |
CVE-2025-15554 | 1.6 | 7.8 | 0.0002 | good |
CVE-2024-57957 | 1.3 | 6.6 | 0.0010 | good |