NIST 800-53 r5 · Controls catalogue · Family IA
IA-1Policy and Procedures
Develop, document, and disseminate to {{ insert: param, ia-1_prm_1 }}: {{ insert: param, ia-01_odp.03 }} identification and authentication policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation of the identification and authentication policy and the associated identification and authentication controls; Designate an {{ insert: param, ia-01_odp.04 }} to manage the development, documentation, and dissemination of the identification and authentication policy and procedures; and Review and update the current identification and authentication: Policy {{ insert: param, ia-01_odp.05 }} and following {{ insert: param, ia-01_odp.06 }} ; and Procedures {{ insert: param, ia-01_odp.07 }} and following {{ insert: param, ia-01_odp.08 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-287 | Improper Authentication | 4,730 | Documented IA policy and procedures require proper authentication mechanisms to be defined and followed, reducing improper authentication. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | The policy mandates identification and authentication for critical functions, making missing authentication less likely. |
CWE-798 | Use of Hard-coded Credentials | 1,955 | Policy and procedures prohibit hard-coded credentials in favor of managed authentication. |
CWE-521 | Weak Password Requirements | 303 | IA policy establishes password requirements, directly addressing weak password requirements. |
CWE-1392 | Use of Default Credentials | 89 | Policy requires changing or avoiding default credentials during system setup and operation. |
CWE-1390 | Weak Authentication | 75 | The IA policy requires strong authentication methods, reducing use of weak authentication. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||