NIST 800-53 r5 · Controls catalogue · Family IA
IA-10Adaptive Authentication
Require individuals accessing the system to employ {{ insert: param, ia-10_odp.01 }} under specific {{ insert: param, ia-10_odp.02 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-287 | Improper Authentication | 4,730 | Requires adaptive authentication under specific conditions, directly strengthening authentication mechanisms against improper or insufficient authentication. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | Mandates additional authentication for access under defined conditions, ensuring critical or high-risk functions are not left without authentication. |
CWE-307 | Improper Restriction of Excessive Authentication Attempts | 684 | Specific conditions can include excessive failed attempts, triggering stronger authentication that restricts brute-force exploitation. |
CWE-288 | Authentication Bypass Using an Alternate Path or Channel | 523 | Adaptive requirements can apply across access paths, reducing the ability to bypass authentication via alternate channels or paths. |
CWE-1390 | Weak Authentication | 75 | Enforces dynamic, context-aware authentication that mitigates weak static authentication by increasing requirements based on risk or conditions. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-30969 | 1.8 | 9.1 | 0.0006 | good |
CVE-2025-69246 | 2.0 | 9.8 | 0.0006 | partial |