NIST 800-53 r5 · Controls catalogue · Family AC
AC-19Access Control for Mobile Devices
Establish configuration requirements, connection requirements, and implementation guidance for organization-controlled mobile devices, to include when such devices are outside of controlled areas; and Authorize the connection of mobile devices to organizational systems.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (27)
- T1020.001 Traffic Duplication Exfiltration
- T1040 Network Sniffing Credential Access, Discovery
- T1070.008 Clear Mailbox Data Stealth
- T1114 Email Collection Collection
- T1114.001 Local Email Collection Collection
- T1114.002 Remote Email Collection Collection
- T1114.003 Email Forwarding Rule Collection
- T1119 Automated Collection Collection
- T1530 Data from Cloud Storage Collection
- T1550.001 Application Access Token Lateral Movement
- T1552 Unsecured Credentials Credential Access
- T1552.004 Private Keys Credential Access
- T1557 Adversary-in-the-Middle Credential Access, Collection
- T1557.002 ARP Cache Poisoning Credential Access, Collection
- T1557.004 Evil Twin Credential Access, Collection
- T1558 Steal or Forge Kerberos Tickets Credential Access
- T1558.002 Silver Ticket Credential Access
- T1558.003 Kerberoasting Credential Access
- T1558.004 AS-REP Roasting Credential Access
- T1565 Data Manipulation Impact
- T1565.001 Stored Data Manipulation Impact
- T1565.002 Transmitted Data Manipulation Impact
- T1602 Data from Configuration Repository Collection
- T1602.001 SNMP (MIB Dump) Collection
- T1602.002 Network Device Configuration Dump Collection
- T1685.005 Clear Windows Event Logs Defense Impairment
- T1685.006 Clear Linux or Mac System Logs Defense Impairment
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | The control requires authorization before allowing mobile device connections, directly mitigating missing authorization for system access. |
CWE-284 | Improper Access Control | 4,832 | Requiring authorization and configuration controls for mobile device connections directly enforces access control and prevents unauthorized devices from reaching organizational systems. |
CWE-863 | Incorrect Authorization | 3,234 | Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function. |
CWE-285 | Improper Authorization | 1,230 | Mandating explicit authorization of mobile device connections reduces the risk of improper authorization decisions for system access. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-0590 | 1.5 | 7.5 | 0.0014 | good |
CVE-2025-1298 | 2.0 | 9.8 | 0.0018 | partial |
CVE-2024-11624 | 1.6 | 7.8 | 0.0001 | good |
CVE-2025-24200 KEV | 6.1 | 6.1 | 0.4816 | good |
CVE-2025-43192 | 2.0 | 9.8 | 0.0011 | partial |
CVE-2024-53931 | 1.8 | 9.1 | 0.0014 | partial |
CVE-2025-25758 | 1.5 | 7.5 | 0.0013 | good |
CVE-2025-20060 | 1.5 | 7.5 | 0.0017 | good |
CVE-2025-21194 | 1.4 | 7.1 | 0.0019 | partial |
CVE-2025-0150 | 1.4 | 7.1 | 0.0015 | partial |
CVE-2024-44136 | 0.9 | 4.6 | 0.0030 | partial |