NIST 800-53 r5 · Controls catalogue · Family CM

CM-13Data Action Mapping

Develop and document a map of system data actions.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-200`	Exposure of Sensitive Information to an Unauthorized Actor	10,204	A data action map identifies locations where sensitive information may be exposed to unauthorized actors during processing or transfer.
`CWE-284`	Improper Access Control	4,832	Mapping data actions reveals potential improper access controls by showing who can perform actions on data.
`CWE-532`	Insertion of Sensitive Information into Log File	1,378	Identifying logging as a data action allows prevention of sensitive information being inserted into log files.
`CWE-285`	Improper Authorization	1,230	Documenting data actions helps ensure proper authorization is enforced for each action involving sensitive data.
`CWE-319`	Cleartext Transmission of Sensitive Information	1,042	Mapping transmission actions in data flows helps prevent cleartext transmission of sensitive information.
`CWE-312`	Cleartext Storage of Sensitive Information	915	Data action mapping can detect storage actions that leave sensitive information in cleartext.
`CWE-311`	Missing Encryption of Sensitive Data	552	The map highlights data actions that involve sensitive data, enabling identification of missing encryption requirements.
`CWE-538`	Insertion of Sensitive Information into Externally-Accessible File or Directory	84	The map shows if data actions result in sensitive information being placed in externally accessible locations.

CVE	Risk	CVSS	EPSS	Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.