NIST 800-53 r5 · Controls catalogue · Family AC
AC-14Permitted Actions Without Identification or Authentication
Identify {{ insert: param, ac-14_odp }} that can be performed on the system without identification or authentication consistent with organizational mission and business functions; and Document and provide supporting rationale in the security plan for the system, user actions not requiring identification or authentication.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (1)
- T1137.002 Office Test Persistence
Weaknesses this control addresses (4)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Documenting permitted unauthenticated actions prevents missing authorization by making all exceptions explicit and subject to organizational review. |
CWE-284 | Improper Access Control | 4,832 | Explicitly identifying and documenting actions permitted without identification or authentication enforces proper access control boundaries by defining justified exceptions. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements. |
CWE-285 | Improper Authorization | 1,230 | The control's documentation requirement reduces improper authorization by ensuring only mission-justified actions bypass authentication. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-39987 KEV | 8.7 | 9.8 | 0.7871 | good |
CVE-2025-8943 | 7.2 | 9.8 | 0.8815 | good |
CVE-2022-25369 | 6.8 | 9.8 | 0.8014 | good |
CVE-2024-12847 | 6.4 | 9.8 | 0.7344 | good |
CVE-2025-24865 | 6.0 | 10.0 | 0.6723 | good |
CVE-2024-6842 | 5.7 | 7.5 | 0.7023 | good |
CVE-2024-57046 | 4.8 | 8.8 | 0.5050 | good |
CVE-2024-50967 | 3.6 | 6.5 | 0.3787 | good |
CVE-2026-2699 | 3.5 | 9.8 | 0.2526 | good |
CVE-2025-0364 | 3.3 | 9.8 | 0.2233 | good |
CVE-2026-2262 | 3.2 | 7.5 | 0.2911 | good |
CVE-2025-64095 | 3.2 | 10.0 | 0.2017 | good |
CVE-2026-33032 | 2.8 | 9.8 | 0.1434 | good |
CVE-2025-27590 | 2.6 | 9.0 | 0.1340 | good |
CVE-2024-23733 | 2.6 | 7.5 | 0.1810 | good |
CVE-2024-13375 | 2.6 | 9.8 | 0.1063 | good |
CVE-2026-30824 | 2.5 | 9.8 | 0.0938 | good |
CVE-2026-41179 | 2.5 | 9.8 | 0.0960 | good |
CVE-2026-21445 | 2.5 | 9.1 | 0.1104 | good |
CVE-2025-58443 | 2.5 | 9.1 | 0.1102 | good |
CVE-2025-34205 | 2.4 | 9.8 | 0.0651 | good |
CVE-2026-27944 | 2.3 | 9.8 | 0.0583 | good |
CVE-2025-40554 | 2.3 | 9.8 | 0.0629 | good |
CVE-2026-41176 | 2.3 | 9.8 | 0.0630 | good |
CVE-2026-0545 | 2.3 | 9.8 | 0.0550 | good |