NIST 800-53 r5 · Controls catalogue · Family IA
IA-4Identifier Management
Manage system identifiers by: Receiving authorization from {{ insert: param, ia-04_odp.01 }} to assign an individual, group, role, service, or device identifier; Selecting an identifier that identifies an individual, group, role, service, or device; Assigning the identifier to the intended individual, group, role, service, or device; and Preventing reuse of identifiers for {{ insert: param, ia-04_odp.02 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (36)
- T1003 OS Credential Dumping Credential Access
- T1003.005 Cached Domain Credentials Credential Access
- T1003.006 DCSync Credential Access
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.005 VNC Lateral Movement
- T1053 Scheduled Task/Job Execution, Persistence, Privilege Escalation
- T1053.002 At Execution, Persistence, Privilege Escalation
- T1053.005 Scheduled Task Execution, Persistence, Privilege Escalation
- T1098.007 Additional Local or Domain Groups Persistence, Privilege Escalation
- T1110 Brute Force Credential Access
- T1110.001 Password Guessing Credential Access
- T1110.002 Password Cracking Credential Access
- T1110.003 Password Spraying Credential Access
- T1110.004 Credential Stuffing Credential Access
- T1213 Data from Information Repositories Collection
- T1213.001 Confluence Collection
- T1213.002 Sharepoint Collection
- T1213.004 Customer Relationship Management Software Collection
- T1213.005 Messaging Applications Collection
- T1528 Steal Application Access Token Credential Access
- T1530 Data from Cloud Storage Collection
- T1537 Transfer Data to Cloud Account Exfiltration
- T1543 Create or Modify System Process Persistence, Privilege Escalation
- T1547.006 Kernel Modules and Extensions Persistence, Privilege Escalation
- T1550.001 Application Access Token Lateral Movement
- T1552 Unsecured Credentials Credential Access
- T1552.005 Cloud Instance Metadata API Credential Access
- T1563 Remote Service Session Hijacking Lateral Movement
- T1578 Modify Cloud Compute Infrastructure Defense Impairment
- T1578.001 Create Snapshot Defense Impairment
- T1578.002 Create Cloud Instance Defense Impairment
- T1578.003 Delete Cloud Instance Defense Impairment
- T1602 Data from Configuration Repository Collection
- T1602.001 SNMP (MIB Dump) Collection
- T1602.002 Network Device Configuration Dump Collection
- T1685 Disable or Modify Tools Defense Impairment
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Requires explicit authorization before any identifier can be assigned, preventing missing authorization. |
CWE-284 | Improper Access Control | 4,832 | Ensures identifiers are properly authorized and assigned, supporting effective access control. |
CWE-287 | Improper Authentication | 4,730 | Provides unique, authorized identifiers that are foundational to preventing authentication weaknesses. |
CWE-863 | Incorrect Authorization | 3,234 | Enforces correct authorization checks during the identifier assignment process. |
CWE-285 | Improper Authorization | 1,230 | Mandates authorization for identifier assignment, reducing risks of improper authorization. |
CWE-286 | Incorrect User Management | 30 | Directly implements correct management of identifiers for individuals, groups, roles, services, and devices. |
CWE-642 | External Control of Critical State Data | 18 | Requires authorization and prevents reuse, mitigating external control of critical identifier state data. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-13609 | 1.6 | 8.2 | 0.0009 | good |
CVE-2026-22665 | 1.6 | 8.1 | 0.0004 | good |
CVE-2025-47411 | 1.6 | 8.1 | 0.0003 | good |
CVE-2025-29773 | 1.2 | 5.8 | 0.0009 | good |
CVE-2024-36555 | 2.0 | 9.8 | 0.0011 | good |
CVE-2025-7493 | 1.8 | 9.1 | 0.0011 | good |
CVE-2026-33665 | 1.5 | 7.5 | 0.0002 | partial |
CVE-2026-39976 | 1.4 | 7.1 | 0.0006 | good |
CVE-2026-35670 | 1.2 | 5.9 | 0.0008 | good |
CVE-2025-24399 | 1.8 | 8.8 | 0.0040 | partial |
CVE-2024-8273 | 1.8 | 8.8 | 0.0011 | partial |