NIST 800-53 r5 · Controls catalogue · Family AC
AC-2Account Management
Define and document the types of accounts allowed and specifically prohibited for use within the system; Assign account managers; Require {{ insert: param, ac-02_odp.01 }} for group and role membership; Specify: Authorized users of the system; Group and role membership; and Access authorizations (i.e., privileges) and {{ insert: param, ac-02_odp.02 }} for each account; Require approvals by {{ insert: param, ac-02_odp.03 }} for requests to create accounts; Create, enable, modify, disable, and remove accounts in accordance with {{ insert: param, ac-02_odp.04 }}; Monitor the use of accounts; Notify account managers and {{ insert: param, ac-02_odp.05 }} within: {{ insert: param, ac-02_odp.06 }} when accounts are no longer required; {{ insert: param, ac-02_odp.07 }} when users are terminated or transferred; and {{ insert: param, ac-02_odp.08 }} when system usage or need-to-know changes for an individual; Authorize access to the system based on: A valid access authorization; Intended system usage; and {{ insert: param, ac-02_odp.09 }}; Review accounts for compliance with account management requirements {{ insert: param, ac-02_odp.10 }}; Establish and implement a process for changing shared or group account authenticators (if deployed) when individuals are removed from the group; and Align account management processes with personnel termination and transfer processes.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (2)
- aws-config-iam-no-inline-policy-check IAM identities have no inline policies AWS::IAM::Role partial
- gcp-cis-iam-no-primitive-roles No primitive roles granted at the project level cloudresourcemanager.googleapis.com/Project partial
ATT&CK techniques this control mitigates (218)
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1003.002 Security Account Manager Credential Access
- T1003.003 NTDS Credential Access
- T1003.004 LSA Secrets Credential Access
- T1003.005 Cached Domain Credentials Credential Access
- T1003.006 DCSync Credential Access
- T1003.007 Proc Filesystem Credential Access
- T1003.008 /etc/passwd and /etc/shadow Credential Access
- T1005 Data from Local System Collection
- T1020.001 Traffic Duplication Exfiltration
- T1021 Remote Services Lateral Movement
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.002 SMB/Windows Admin Shares Lateral Movement
- T1021.003 Distributed Component Object Model Lateral Movement
- T1021.004 SSH Lateral Movement
- T1021.005 VNC Lateral Movement
- T1021.006 Windows Remote Management Lateral Movement
- T1021.007 Cloud Services Lateral Movement
- T1021.008 Direct Cloud VM Connections Lateral Movement
- T1025 Data from Removable Media Collection
- T1036 Masquerading Stealth
- T1036.003 Rename Legitimate Utilities Stealth
- T1036.005 Match Legitimate Resource Name or Location Stealth
- T1036.010 Masquerade Account Name Stealth
- T1041 Exfiltration Over C2 Channel Exfiltration
- T1047 Windows Management Instrumentation Execution
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1052 Exfiltration Over Physical Medium Exfiltration
- T1052.001 Exfiltration over USB Exfiltration
- T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
- T1053.002 At Execution, Persistence, Privilege Escalation
- T1053.003 Cron Execution, Persistence, Privilege Escalation
- T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
- T1053.006 Systemd Timers Execution, Persistence, Privilege Escalation
- T1053.007 Container Orchestration Job Execution, Persistence, Privilege Escalation
- T1055 Process Injection Stealth, Privilege Escalation
- T1055.008 Ptrace System Calls Stealth, Privilege Escalation
- T1056.003 Web Portal Capture Collection, Credential Access
- T1059 Command and Scripting Interpreter Execution
- T1059.001 PowerShell Execution
- T1059.002 AppleScript Execution
- T1059.003 Windows Command Shell Execution
- T1059.004 Unix Shell Execution
- T1059.005 Visual Basic Execution
- T1059.006 Python Execution
- T1059.007 JavaScript Execution
- T1059.008 Network Device CLI Execution
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Requiring approvals for account creation and specifying authorizations ensures authorization is not missing for system access. |
CWE-284 | Improper Access Control | 4,832 | Defining account types, requiring approvals for creation, specifying authorizations, monitoring usage, and reviewing accounts directly prevents improper access control by ensuring only authorized accounts exist and are used. |
CWE-863 | Incorrect Authorization | 3,234 | Monitoring account use, notifying on changes, and reviewing accounts for compliance corrects incorrect authorization assignments. |
CWE-269 | Improper Privilege Management | 2,907 | Assigning group/role memberships and access authorizations (privileges) while reviewing accounts addresses improper privilege management. |
CWE-285 | Improper Authorization | 1,230 | Specifying access authorizations for each account and requiring approvals for account requests enforces proper authorization decisions. |
CWE-266 | Incorrect Privilege Assignment | 826 | Explicitly specifying privileges and group/role memberships for accounts reduces the risk of incorrect privilege assignments. |
CWE-250 | Execution with Unnecessary Privileges | 305 | Reviewing accounts for compliance, disabling/removing unneeded accounts, and aligning with termination processes prevents execution with unnecessary privileges. |
CWE-272 | Least Privilege Violation | 25 | Requiring specification of intended system usage and access authorizations, plus periodic reviews, supports enforcement of least privilege. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-8489 | 4.9 | 9.8 | 0.4926 | good |
CVE-2024-54880 | 2.2 | 9.1 | 0.0552 | good |
CVE-2026-31874 | 2.0 | 9.8 | 0.0023 | good |
CVE-2025-12882 | 2.0 | 9.8 | 0.0011 | good |
CVE-2025-11457 | 2.0 | 9.8 | 0.0017 | good |
CVE-2025-14533 | 2.0 | 9.8 | 0.0015 | good |
CVE-2024-9636 | 2.0 | 9.8 | 0.0076 | good |
CVE-2025-0177 | 2.0 | 9.8 | 0.0031 | good |
CVE-2024-13421 | 2.0 | 9.8 | 0.0024 | good |
CVE-2025-13675 | 2.0 | 9.8 | 0.0018 | good |
CVE-2024-12281 | 2.0 | 9.8 | 0.0025 | good |
CVE-2024-11951 | 2.0 | 9.8 | 0.0025 | good |
CVE-2025-13764 | 2.0 | 9.8 | 0.0019 | good |
CVE-2025-13559 | 2.0 | 9.8 | 0.0021 | good |
CVE-2025-2232 | 2.0 | 9.8 | 0.0006 | good |
CVE-2025-13618 | 2.0 | 9.8 | 0.0007 | good |
CVE-2026-0920 | 2.0 | 9.8 | 0.0006 | good |
CVE-2025-6758 | 2.0 | 9.8 | 0.0031 | good |
CVE-2025-6994 | 2.0 | 9.8 | 0.0027 | good |
CVE-2025-34217 | 2.0 | 9.8 | 0.0017 | good |
CVE-2025-35452 | 2.0 | 9.8 | 0.0015 | good |
CVE-2024-46433 | 1.8 | 8.8 | 0.0097 | good |
CVE-2024-57434 | 1.8 | 8.8 | 0.0021 | good |
CVE-2024-46429 | 1.8 | 8.8 | 0.0020 | good |
CVE-2026-35607 | 1.6 | 8.1 | 0.0008 | good |