NIST 800-53 r5 · Controls catalogue · Family AC
AC-13Supervision and Review — Access Control
Supervision and Review — Access Control
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Reviews of access controls detect missing authorization checks on critical functions or resources. |
CWE-284 | Improper Access Control | 4,832 | Supervision and review of access control activities directly detects and remediates improper access configurations or usages. |
CWE-863 | Incorrect Authorization | 3,234 | Supervision identifies cases where authorization logic incorrectly permits unauthorized actions. |
CWE-269 | Improper Privilege Management | 2,907 | Access supervision ensures privileges are assigned and managed without improper escalation or retention. |
CWE-285 | Improper Authorization | 1,230 | Periodic reviews identify and correct flaws in authorization decisions or enforcement. |
CWE-266 | Incorrect Privilege Assignment | 826 | Regular reviews catch incorrect privilege assignments to users, roles, or processes. |
CWE-250 | Execution with Unnecessary Privileges | 305 | Supervision detects and allows removal of unnecessary privileges that enable execution with excess rights. |
CWE-272 | Least Privilege Violation | 25 | Access reviews verify and enforce adherence to least privilege by identifying excess permissions. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||