NIST 800-53 r5 · Controls catalogue · Family IA
IA-5Authenticator Management
Manage system authenticators by: Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, service, or device receiving the authenticator; Establishing initial authenticator content for any authenticators issued by the organization; Ensuring that authenticators have sufficient strength of mechanism for their intended use; Establishing and implementing administrative procedures for initial authenticator distribution, for lost or compromised or damaged authenticators, and for revoking authenticators; Changing default authenticators prior to first use; Changing or refreshing authenticators {{ insert: param, ia-05_odp.01 }} or when {{ insert: param, ia-05_odp.02 }} occur; Protecting authenticator content from unauthorized disclosure and modification; Requiring individuals to take, and having devices implement, specific controls to protect authenticators; and Changing authenticators for group or role accounts when membership to those accounts changes.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (1)
- aws-config-iam-password-policy IAM password policy meets baseline strength AWS::IAM::AccountPasswordPolicy partial
ATT&CK techniques this control mitigates (72)
- T1003 OS Credential Dumping Credential Access
- T1003.001 LSASS Memory Credential Access
- T1003.002 Security Account Manager Credential Access
- T1003.003 NTDS Credential Access
- T1003.004 LSA Secrets Credential Access
- T1003.005 Cached Domain Credentials Credential Access
- T1003.006 DCSync Credential Access
- T1003.007 Proc Filesystem Credential Access
- T1003.008 /etc/passwd and /etc/shadow Credential Access
- T1021 Remote Services Lateral Movement
- T1021.001 Remote Desktop Protocol Lateral Movement
- T1021.004 SSH Lateral Movement
- T1021.007 Cloud Services Lateral Movement
- T1021.008 Direct Cloud VM Connections Lateral Movement
- T1040 Network Sniffing Credential Access, Discovery
- T1072 Software Deployment Tools Execution, Lateral Movement
- T1078 Valid Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.002 Domain Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1078.004 Cloud Accounts Stealth, Persistence, Privilege Escalation, Initial Access
- T1098.001 Additional Cloud Credentials Persistence, Privilege Escalation
- T1098.002 Additional Email Delegate Permissions Persistence, Privilege Escalation
- T1098.003 Additional Cloud Roles Persistence, Privilege Escalation
- T1098.004 SSH Authorized Keys Persistence, Privilege Escalation
- T1098.006 Additional Container Cluster Roles Persistence, Privilege Escalation
- T1110 Brute Force Credential Access
- T1110.001 Password Guessing Credential Access
- T1110.002 Password Cracking Credential Access
- T1110.003 Password Spraying Credential Access
- T1110.004 Credential Stuffing Credential Access
- T1111 Multi-Factor Authentication Interception Credential Access
- T1114 Email Collection Collection
- T1114.002 Remote Email Collection Collection
- T1133 External Remote Services Persistence, Initial Access
- T1136 Create Account Persistence
- T1136.001 Local Account Persistence
- T1136.002 Domain Account Persistence
- T1136.003 Cloud Account Persistence
- T1212 Exploitation for Credential Access Credential Access
- T1528 Steal Application Access Token Credential Access
- T1530 Data from Cloud Storage Collection
- T1539 Steal Web Session Cookie Credential Access
- T1550.003 Pass the Ticket Lateral Movement
- T1552 Unsecured Credentials Credential Access
- T1552.001 Credentials In Files Credential Access
- T1552.002 Credentials in Registry Credential Access
- T1552.004 Private Keys Credential Access
- T1552.006 Group Policy Preferences Credential Access
- T1555 Credentials from Password Stores Credential Access
- T1555.001 Keychain Credential Access
- T1555.002 Securityd Memory Credential Access
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-798 | Use of Hard-coded Credentials | 1,955 | Changing default authenticators prior to first use and protecting content prevents use of hard-coded credentials. |
CWE-522 | Insufficiently Protected Credentials | 1,518 | Protecting authenticator content from unauthorized disclosure and modification while requiring protective controls addresses insufficiently protected credentials. |
CWE-521 | Weak Password Requirements | 303 | Ensuring authenticators have sufficient strength of mechanism for intended use addresses weak password requirements. |
CWE-640 | Weak Password Recovery Mechanism for Forgotten Password | 298 | Establishing procedures for lost or compromised authenticators addresses weak password recovery mechanisms. |
CWE-259 | Use of Hard-coded Password | 187 | Changing default authenticators prior to first use directly prevents use of hard-coded passwords. |
CWE-1392 | Use of Default Credentials | 89 | Changing default authenticators prior to first use prevents use of default credentials. |
CWE-1391 | Use of Weak Credentials | 47 | Ensuring sufficient strength of mechanism for authenticators prevents use of weak credentials. |
CWE-1393 | Use of Default Password | 37 | Changing default authenticators prior to first use prevents use of default passwords. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-13390 | 4.1 | 10.0 | 0.3499 | good |
CVE-2025-8730 | 3.8 | 9.8 | 0.3021 | good |
CVE-2025-22896 | 3.7 | 8.6 | 0.3324 | good |
CVE-2024-9643 | 3.5 | 9.8 | 0.2625 | good |
CVE-2026-20128 KEV | 3.5 | 7.5 | 0.0004 | good |
CVE-2025-0890 | 3.3 | 9.8 | 0.2167 | good |
CVE-2025-25570 | 3.2 | 9.8 | 0.2057 | good |
CVE-2025-58434 | 3.2 | 9.8 | 0.2098 | good |
CVE-2024-56902 | 3.1 | 7.5 | 0.2649 | good |
CVE-2025-0674 | 2.9 | 9.8 | 0.1575 | good |
CVE-2025-68926 | 2.6 | 9.8 | 0.1061 | good |
CVE-2025-69971 | 2.2 | 9.8 | 0.0453 | good |
CVE-2024-57395 | 2.2 | 9.8 | 0.0332 | good |
CVE-2025-1100 | 2.1 | 9.8 | 0.0185 | good |
CVE-2025-67114 | 2.0 | 9.8 | 0.0046 | good |
CVE-2026-28778 | 2.0 | 9.8 | 0.0055 | good |
CVE-2026-29119 | 2.0 | 9.8 | 0.0042 | good |
CVE-2026-22886 | 2.0 | 9.8 | 0.0020 | good |
CVE-2026-28777 | 2.0 | 9.8 | 0.0042 | good |
CVE-2026-28776 | 2.0 | 9.8 | 0.0042 | good |
CVE-2026-27637 | 2.0 | 9.8 | 0.0029 | good |
CVE-2026-26341 | 2.0 | 9.8 | 0.0020 | good |
CVE-2026-26218 | 2.0 | 9.8 | 0.0020 | good |
CVE-2025-70998 | 2.0 | 9.8 | 0.0026 | good |
CVE-2026-23647 | 2.0 | 9.8 | 0.0036 | good |