NIST 800-53 r5 · Controls catalogue · Family IA
IA-13Identity Providers and Authorization Servers
Employ identity providers and authorization servers to manage user, device, and non-person entity (NPE) identities, attributes, and access rights supporting authentication and authorization decisions in accordance with {{ insert: param, ia-13_odp.01 }} using {{ insert: param, ia-13_odp.02 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (17)
- T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.002 Domain Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.004 Cloud Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1111 Multi-Factor Authentication Interception Credential Access
- T1134 Access Token Manipulation Stealth, Privilege Escalation
- T1134.001 Token Impersonation/Theft Stealth, Privilege Escalation
- T1134.003 Make and Impersonate Token Stealth, Privilege Escalation
- T1134.005 SID-History Injection Stealth, Privilege Escalation
- T1528 Steal Application Access Token Credential Access
- T1556 Modify Authentication Process Defense Impairment, Persistence, Credential Access
- T1556.006 Multi-Factor Authentication Defense Impairment, Persistence, Credential Access
- T1556.007 Hybrid Identity Defense Impairment, Persistence, Credential Access
- T1556.009 Conditional Access Policies Defense Impairment, Persistence, Credential Access
- T1606 Forge Web Credentials Credential Access
- T1606.002 SAML Tokens Credential Access
- T1621 Multi-Factor Authentication Request Generation Credential Access
- T1649 Steal or Forge Authentication Certificates Credential Access
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Requiring authorization servers ensures authorization is performed for protected functions. |
CWE-284 | Improper Access Control | 4,832 | Authorization servers centrally manage access rights, preventing improper access control. |
CWE-287 | Improper Authentication | 4,730 | Identity providers centralize and enforce authentication mechanisms, reducing improper authentication. |
CWE-863 | Incorrect Authorization | 3,234 | Centralized authorization servers reduce incorrect authorization by enforcing consistent policies. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | Identity providers mandate authentication for functions that would otherwise lack it. |
CWE-798 | Use of Hard-coded Credentials | 1,955 | External identity providers eliminate the need for hard-coded credentials in applications. |
CWE-285 | Improper Authorization | 1,230 | Dedicated authorization servers support policy-based decisions, mitigating improper authorization. |
CWE-288 | Authentication Bypass Using an Alternate Path or Channel | 523 | Centralized IdPs close alternate authentication paths that enable bypass. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-64717 | 2.0 | 9.8 | 0.0070 | good |
CVE-2025-9485 | 2.0 | 9.8 | 0.0074 | good |
CVE-2026-3224 | 2.0 | 9.8 | 0.0006 | good |
CVE-2026-2418 | 1.8 | 9.1 | 0.0010 | good |
CVE-2026-27478 | 1.8 | 9.1 | 0.0002 | good |
CVE-2025-66001 | 1.8 | 8.8 | 0.0003 | good |
CVE-2026-28513 | 1.7 | 8.5 | 0.0001 | good |
CVE-2026-6266 | 1.7 | 8.3 | 0.0004 | good |
CVE-2025-15115 | 1.3 | 6.5 | 0.0017 | good |
CVE-2026-24858 KEV | 4.3 | 9.8 | 0.0620 | good |
CVE-2026-31957 | 2.0 | 10.0 | 0.0027 | good |
CVE-2025-1061 | 2.0 | 9.8 | 0.0015 | good |
CVE-2025-1515 | 2.0 | 9.8 | 0.0006 | good |
CVE-2026-20184 | 2.0 | 9.8 | 0.0007 | good |
CVE-2026-33322 | 2.0 | 9.8 | 0.0003 | good |
CVE-2025-27672 | 2.0 | 9.8 | 0.0006 | good |
CVE-2025-7444 | 2.0 | 9.8 | 0.0048 | good |
CVE-2025-7710 | 2.0 | 9.8 | 0.0044 | good |
CVE-2026-32301 | 1.9 | 9.3 | 0.0010 | good |
CVE-2025-22146 | 1.8 | 9.1 | 0.0034 | good |
CVE-2026-34456 | 1.8 | 9.1 | 0.0010 | good |
CVE-2025-24399 | 1.8 | 8.8 | 0.0040 | partial |
CVE-2025-9803 | 1.8 | 8.8 | 0.0009 | good |
CVE-2026-33175 | 1.8 | 8.8 | 0.0013 | good |
CVE-2026-30967 | 1.8 | 8.8 | 0.0011 | good |