NIST 800-53 r5 · Controls catalogue · Family AC
AC-4Information Flow Enforcement
Enforce approved authorizations for controlling the flow of information within the system and between connected systems based on {{ insert: param, ac-04_odp }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (11)
- aws-config-vpc-flow-logs-enabled VPC flow logs are enabled AWS::EC2::VPC partial
- aws-config-s3-bucket-public-read-prohibited S3 buckets prohibit public read access AWS::S3::Bucket partial
- aws-config-s3-bucket-public-write-prohibited S3 buckets prohibit public write access AWS::S3::Bucket mostly
- aws-config-rds-snapshots-public-prohibited RDS snapshots are not publicly restorable AWS::RDS::DBSnapshot partial
- aws-config-incoming-ssh-disabled Security groups disallow unrestricted SSH ingress AWS::EC2::SecurityGroup partial
- aws-config-restricted-common-ports Security groups disallow unrestricted common-port ingress AWS::EC2::SecurityGroup partial
- aws-config-lambda-function-public-access-prohibited Lambda function policies prohibit public invocation AWS::Lambda::Function partial
- azure-mcsb-network-restrict-public-storage Storage accounts deny public-blob access Microsoft.Storage/storageAccounts partial
- azure-mcsb-network-flow-logs NSG flow logs are enabled Microsoft.Network/networkSecurityGroups partial
- gcp-cis-storage-bucket-public-access-prohibited Cloud Storage buckets disallow allUsers / allAuthenticatedUsers storage.googleapis.com/Bucket partial
- gcp-cis-vpc-flow-logs-enabled VPC subnetworks have flow logs enabled compute.googleapis.com/Subnetwork partial
ATT&CK techniques this control mitigates (158)
- T1001 Data Obfuscation Command And Control
- T1001.001 Junk Data Command And Control
- T1001.002 Steganography Command And Control
- T1001.003 Protocol or Service Impersonation Command And Control
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1003.005 Cached Domain Credentials Credential Access
- T1003.006 DCSync Credential Access
- T1008 Fallback Channels Command And Control
- T1020.001 Traffic Duplication Exfiltration
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.002 SMB/Windows Admin Shares Lateral Movement
- T1021.003 Distributed Component Object Model Lateral Movement
- T1021.005 VNC Lateral Movement
- T1021.006 Windows Remote Management Lateral Movement
- T1029 Scheduled Transfer Exfiltration
- T1030 Data Transfer Size Limits Exfiltration
- T1041 Exfiltration Over C2 Channel Exfiltration
- T1046 Network Service Discovery Discovery
- T1048 Exfiltration Over Alternative Protocol Exfiltration
- T1048.001 Exfiltration Over Symmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.002 Exfiltration Over Asymmetric Encrypted Non-C2 Protocol Exfiltration
- T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol Exfiltration
- T1068 Exploitation for Privilege Escalation Privilege Escalation
- T1070.008 Clear Mailbox Data Stealth
- T1071 Application Layer Protocol Command And Control
- T1071.001 Web Protocols Command And Control
- T1071.002 File Transfer Protocols Command And Control
- T1071.003 Mail Protocols Command And Control
- T1071.004 DNS Command And Control
- T1071.005 Publish/Subscribe Protocols Command And Control
- T1072 Software Deployment Tools Execution, Lateral Movement
- T1090 Proxy Command And Control
- T1090.001 Internal Proxy Command And Control
- T1090.002 External Proxy Command And Control
- T1090.003 Multi-hop Proxy Command And Control
- T1095 Non-Application Layer Protocol Command And Control
- T1098 Account Manipulation Persistence, Privilege Escalation
- T1098.001 Additional Cloud Credentials Persistence, Privilege Escalation
- T1098.007 Additional Local or Domain Groups Persistence, Privilege Escalation
- T1102 Web Service Command And Control
- T1102.001 Dead Drop Resolver Command And Control
- T1102.002 Bidirectional Communication Command And Control
- T1102.003 One-Way Communication Command And Control
- T1104 Multi-Stage Channels Command And Control
- T1105 Ingress Tool Transfer Command And Control
- T1114 Email Collection Collection
- T1114.001 Local Email Collection Collection
- T1114.002 Remote Email Collection Collection
- T1114.003 Email Forwarding Rule Collection
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Mandates authorization checks and enforcement for all information flows, addressing missing authorization. |
CWE-284 | Improper Access Control | 4,832 | Enforcing approved authorizations for information flows directly implements access control over data movements within and between systems. |
CWE-863 | Incorrect Authorization | 3,234 | Applies only approved authorizations to information flows, mitigating incorrect authorization decisions. |
CWE-285 | Improper Authorization | 1,230 | Requires and applies authorization decisions specifically to control information flows based on policy. |
CWE-668 | Exposure of Resource to Wrong Sphere | 779 | Restricts information flows to ensure resources are not exposed to incorrect or unauthorized spheres. |
CWE-669 | Incorrect Resource Transfer Between Spheres | 96 | Enforces proper authorization rules for any resource or data transfer between different spheres. |
CWE-653 | Improper Isolation or Compartmentalization | 52 | Maintains isolation and compartmentalization by restricting flows between security domains or levels. |
CWE-501 | Trust Boundary Violation | 24 | Prevents information from crossing trust boundaries without explicit approved authorizations. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-32737 | 2.0 | 10.0 | 0.0002 | good |
CVE-2026-32768 | 2.0 | 9.9 | 0.0006 | good |
CVE-2026-32769 | 2.0 | 9.8 | 0.0003 | good |
CVE-2025-70046 | 2.0 | 9.8 | 0.0006 | good |
CVE-2026-31818 | 1.9 | 9.6 | 0.0001 | good |
CVE-2026-1181 | 1.8 | 9.0 | 0.0002 | good |
CVE-2026-34504 | 1.7 | 8.3 | 0.0005 | good |
CVE-2024-8026 | 1.6 | 8.1 | 0.0009 | good |
CVE-2025-12805 | 1.6 | 8.1 | 0.0001 | good |
CVE-2026-41295 | 1.6 | 7.8 | 0.0001 | good |
CVE-2026-24470 | 1.6 | 8.1 | 0.0004 | good |
CVE-2026-34936 | 1.5 | 7.7 | 0.0001 | good |
CVE-2026-35629 | 1.5 | 7.4 | 0.0004 | good |
CVE-2022-43916 | 1.4 | 6.8 | 0.0010 | good |
CVE-2026-33265 | 1.3 | 6.3 | 0.0008 | good |
CVE-2025-24472 KEV | 4.2 | 8.1 | 0.1043 | good |
CVE-2025-34221 | 2.2 | 9.8 | 0.0365 | good |
CVE-2025-55150 | 2.1 | 8.6 | 0.0605 | good |
CVE-2026-32938 | 2.0 | 9.9 | 0.0025 | good |
CVE-2025-59503 | 2.0 | 10.0 | 0.0020 | good |
CVE-2025-24250 | 2.0 | 9.8 | 0.0070 | partial |
CVE-2025-24167 | 2.0 | 9.8 | 0.0063 | partial |
CVE-2025-24172 | 2.0 | 9.8 | 0.0045 | good |
CVE-2026-31668 | 2.0 | 9.8 | 0.0007 | partial |
CVE-2026-2286 | 2.0 | 9.8 | 0.0006 | good |