NIST 800-53 r5 · Controls catalogue · Family IA
IA-12Identity Proofing
Identity proof users that require accounts for logical access to systems based on appropriate identity assurance level requirements as specified in applicable standards and guidelines; Resolve user identities to a unique individual; and Collect, validate, and verify identity evidence.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (4)
- T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.002 Domain Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.003 Local Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.004 Cloud Accounts Stealth, Persistence, Privilege Escalation, Initial Access
Weaknesses this control addresses (2)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-287 | Improper Authentication | 4,730 | Identity proofing requires collecting, validating, and verifying evidence to resolve claims to unique individuals, directly preventing insufficient proof of identity during account establishment. |
CWE-290 | Authentication Bypass by Spoofing | 631 | Requiring verifiable identity evidence at appropriate assurance levels makes it substantially harder for attackers to successfully spoof or impersonate users to obtain accounts. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-1671 | 2.0 | 9.8 | 0.0019 | good |
CVE-2026-6266 | 1.7 | 8.3 | 0.0004 | good |