NIST 800-53 r5 · Controls catalogue · Family IA
IA-2Identification and Authentication (Organizational Users)
Uniquely identify and authenticate organizational users and associate that unique identification with processes acting on behalf of those users.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (5)
- aws-config-root-account-mfa-enabled Root account has hardware MFA enabled AWS::IAM::AccountSummary partial
- aws-config-ec2-imdsv2-check EC2 instances require IMDSv2 AWS::EC2::Instance partial
- aws-config-iam-user-mfa-enabled IAM users with console access have MFA enabled AWS::IAM::User partial
- azure-mcsb-im-06-mfa Subscription owners have multi-factor authentication enabled Microsoft.Authorization/roleAssignments partial
- gcp-cis-iam-mfa-enforcement Owner principals have MFA / 2-step verification cloudidentity.googleapis.com/User partial
ATT&CK techniques this control mitigates (171)
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1003.002 Security Account Manager Credential Access
- T1003.003 NTDS Credential Access
- T1003.004 LSA Secrets Credential Access
- T1003.005 Cached Domain Credentials Credential Access
- T1003.006 DCSync Credential Access
- T1003.007 Proc Filesystem Credential Access
- T1003.008 /etc/passwd and /etc/shadow Credential Access
- T1021 Remote Services Lateral Movement
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.002 SMB/Windows Admin Shares Lateral Movement
- T1021.003 Distributed Component Object Model Lateral Movement
- T1021.004 SSH Lateral Movement
- T1021.005 VNC Lateral Movement
- T1021.006 Windows Remote Management Lateral Movement
- T1021.007 Cloud Services Lateral Movement
- T1021.008 Direct Cloud VM Connections Lateral Movement
- T1036.007 Double File Extension Stealth
- T1036.010 Masquerade Account Name Stealth
- T1040 Network Sniffing Credential Access, Discovery
- T1047 Windows Management Instrumentation Execution
- T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
- T1053.002 At Execution, Persistence, Privilege Escalation
- T1053.003 Cron Execution, Persistence, Privilege Escalation
- T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
- T1053.006 Systemd Timers Execution, Persistence, Privilege Escalation
- T1053.007 Container Orchestration Job Execution, Persistence, Privilege Escalation
- T1055 Process Injection Stealth, Privilege Escalation
- T1055.008 Ptrace System Calls Stealth, Privilege Escalation
- T1056.003 Web Portal Capture Collection, Credential Access
- T1059 Command and Scripting Interpreter Execution
- T1059.001 PowerShell Execution
- T1059.008 Network Device CLI Execution
- T1059.009 Cloud API Execution
- T1072 Software Deployment Tools Execution, Lateral Movement
- T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.002 Domain Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.003 Local Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.004 Cloud Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1087.004 Cloud Account Discovery
- T1098 Account Manipulation Persistence, Privilege Escalation
- T1098.001 Additional Cloud Credentials Persistence, Privilege Escalation
- T1098.002 Additional Email Delegate Permissions Persistence, Privilege Escalation
- T1098.003 Additional Cloud Roles Persistence, Privilege Escalation
- T1098.004 SSH Authorized Keys Persistence, Privilege Escalation
- T1098.007 Additional Local or Domain Groups Persistence, Privilege Escalation
- T1110 Brute Force Credential Access
- T1110.001 Password Guessing Credential Access
- T1110.002 Password Cracking Credential Access
Weaknesses this control addresses (4)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-287 | Improper Authentication | 4,730 | Requires unique identification and authentication of organizational users, directly preventing improper authentication. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | Mandates authentication for organizational users and their associated processes, eliminating missing authentication for critical functions. |
CWE-1392 | Use of Default Credentials | 89 | Unique identification requirement prevents use of default or shared credentials by organizational users. |
CWE-1390 | Weak Authentication | 75 | Enforces authentication for users, reducing the viability of weak authentication mechanisms. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2026-21891 | 2.5 | 9.4 | 0.1092 | good |
CVE-2026-20129 | 2.0 | 9.8 | 0.0007 | good |
CVE-2026-1729 | 2.0 | 9.8 | 0.0013 | good |
CVE-2025-63224 | 2.0 | 10.0 | 0.0014 | good |
CVE-2025-10484 | 2.0 | 9.8 | 0.0045 | good |
CVE-2023-54335 | 2.0 | 9.8 | 0.0059 | good |
CVE-2025-1387 | 2.0 | 9.8 | 0.0061 | good |
CVE-2025-27138 | 2.0 | 9.8 | 0.0060 | good |
CVE-2024-12919 | 2.0 | 9.8 | 0.0011 | good |
CVE-2025-66489 | 2.0 | 9.8 | 0.0014 | good |
CVE-2026-33746 | 2.0 | 9.8 | 0.0005 | good |
CVE-2024-11286 | 2.0 | 9.8 | 0.0005 | good |
CVE-2026-31151 | 2.0 | 9.8 | 0.0006 | good |
CVE-2026-30831 | 2.0 | 9.8 | 0.0008 | good |
CVE-2025-12420 | 2.0 | 9.8 | 0.0005 | good |
CVE-2025-8359 | 2.0 | 9.8 | 0.0044 | good |
CVE-2025-7642 | 2.0 | 9.8 | 0.0044 | good |
CVE-2026-1568 | 1.9 | 9.6 | 0.0002 | good |
CVE-2026-21881 | 1.8 | 9.1 | 0.0032 | good |
CVE-2026-39322 | 1.8 | 8.8 | 0.0005 | good |
CVE-2026-30223 | 1.8 | 8.8 | 0.0004 | good |
CVE-2026-20126 | 1.8 | 8.8 | 0.0002 | good |
CVE-2025-47158 | 1.8 | 9.0 | 0.0026 | good |
CVE-2025-30236 | 1.7 | 8.6 | 0.0020 | good |
CVE-2026-34072 | 1.7 | 8.3 | 0.0010 | good |