NIST 800-53 r5 · Controls catalogue · Family AC
AC-5Separation of Duties
Identify and document {{ insert: param, ac-05_odp }} ; and Define system access authorizations to support separation of duties.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (165)
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1003.002 Security Account Manager Credential Access
- T1003.003 NTDS Credential Access
- T1003.004 LSA Secrets Credential Access
- T1003.005 Cached Domain Credentials Credential Access
- T1003.006 DCSync Credential Access
- T1003.007 Proc Filesystem Credential Access
- T1003.008 /etc/passwd and /etc/shadow Credential Access
- T1021 Remote Services Lateral Movement
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.002 SMB/Windows Admin Shares Lateral Movement
- T1021.003 Distributed Component Object Model Lateral Movement
- T1021.004 SSH Lateral Movement
- T1021.006 Windows Remote Management Lateral Movement
- T1021.007 Cloud Services Lateral Movement
- T1047 Windows Management Instrumentation Execution
- T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
- T1053.002 At Execution, Persistence, Privilege Escalation
- T1053.003 Cron Execution, Persistence, Privilege Escalation
- T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
- T1053.006 Systemd Timers Execution, Persistence, Privilege Escalation
- T1053.007 Container Orchestration Job Execution, Persistence, Privilege Escalation
- T1055 Process Injection Stealth, Privilege Escalation
- T1055.008 Ptrace System Calls Stealth, Privilege Escalation
- T1056.003 Web Portal Capture Collection, Credential Access
- T1059 Command and Scripting Interpreter Execution
- T1059.001 PowerShell Execution
- T1059.008 Network Device CLI Execution
- T1070 Indicator Removal Stealth
- T1070.003 Clear Command History Stealth
- T1070.007 Clear Network Connection History and Configurations Stealth
- T1070.008 Clear Mailbox Data Stealth
- T1070.009 Clear Persistence Stealth
- T1072 Software Deployment Tools Execution, Lateral Movement
- T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.001 Default Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.002 Domain Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.003 Local Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.004 Cloud Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1087.004 Cloud Account Discovery
- T1098 Account Manipulation Persistence, Privilege Escalation
- T1098.001 Additional Cloud Credentials Persistence, Privilege Escalation
- T1098.002 Additional Email Delegate Permissions Persistence, Privilege Escalation
- T1098.003 Additional Cloud Roles Persistence, Privilege Escalation
- T1098.004 SSH Authorized Keys Persistence, Privilege Escalation
- T1098.005 Device Registration Persistence, Privilege Escalation
- T1098.007 Additional Local or Domain Groups Persistence, Privilege Escalation
- T1110 Brute Force Credential Access
- T1110.001 Password Guessing Credential Access
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Defining authorizations to support separation of duties strengthens overall access control by preventing unauthorized combinations of actions within a single account. |
CWE-269 | Improper Privilege Management | 2,907 | By mandating division of duties across roles, the control enforces proper privilege management and prevents a single entity from controlling an entire sensitive process. |
CWE-285 | Improper Authorization | 1,230 | The control requires authorizations to be structured around separated duties, mitigating improper authorization that would otherwise allow one user to perform conflicting operations. |
CWE-266 | Incorrect Privilege Assignment | 826 | The control requires explicit definition of separated access authorizations, making incorrect privilege assignments that bundle conflicting duties harder to implement. |
CWE-250 | Execution with Unnecessary Privileges | 305 | Separation of duties prevents any single user from holding all privileges needed to complete a critical task, directly reducing execution with unnecessary privileges. |
CWE-272 | Least Privilege Violation | 25 | Separation of duties is a direct mechanism to enforce least privilege by ensuring no individual receives more access than required for their isolated responsibilities. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-29789 | 2.0 | 9.9 | 0.0006 | partial |
CVE-2026-27668 | 1.8 | 8.8 | 0.0004 | good |
CVE-2026-29073 | 1.8 | 8.8 | 0.0006 | partial |
CVE-2026-30944 | 1.8 | 8.8 | 0.0005 | partial |
CVE-2026-26416 | 1.8 | 8.8 | 0.0004 | good |
CVE-2026-25859 | 1.8 | 8.8 | 0.0002 | partial |
CVE-2026-34587 | 1.6 | 8.1 | 0.0003 | partial |
CVE-2026-40591 | 1.4 | 7.1 | 0.0003 | partial |
CVE-2025-0849 | 1.3 | 6.3 | 0.0003 | partial |
CVE-2025-25616 | 0.9 | 4.3 | 0.0057 | partial |