NIST 800-53 r5 · Controls catalogue · Family IA
IA-9Service Identification and Authentication
Uniquely identify and authenticate {{ insert: param, ia-09_odp }} before establishing communications with devices, users, or other services or applications.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (22)
- T1036 Masquerading Stealth
- T1036.001 Invalid Code Signature Stealth
- T1036.005 Match Legitimate Resource Name or Location Stealth
- T1059 Command and Scripting Interpreter Execution
- T1059.001 PowerShell Execution
- T1059.002 AppleScript Execution
- T1213.003 Code Repositories Collection
- T1525 Implant Internal Image Persistence
- T1546 Event Triggered Execution Privilege Escalation, Persistence
- T1546.006 LC_LOAD_DYLIB Addition Privilege Escalation, Persistence
- T1546.013 PowerShell Profile Privilege Escalation, Persistence
- T1553 Subvert Trust Controls Defense Impairment
- T1553.004 Install Root Certificate Defense Impairment
- T1554 Compromise Host Software Binary Persistence
- T1566 Phishing Initial Access
- T1566.001 Spearphishing Attachment Initial Access
- T1566.002 Spearphishing Link Initial Access
- T1598 Phishing for Information Reconnaissance
- T1598.002 Spearphishing Attachment Reconnaissance
- T1598.003 Spearphishing Link Reconnaissance
- T1685 Disable or Modify Tools Defense Impairment
- T1688 Safe Mode Boot Defense Impairment
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-287 | Improper Authentication | 4,730 | Requires unique identification and authentication of services before any communications, directly mitigating improper authentication. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | Mandates authentication prior to establishing communications with services, preventing missing authentication for this critical function. |
CWE-290 | Authentication Bypass by Spoofing | 631 | Unique identification and authentication of services before communications makes spoofing of service identities substantially harder. |
CWE-346 | Origin Validation Error | 548 | Requires unique identification of the service before communications, addressing failures to validate the origin of the interaction. |
CWE-940 | Improper Verification of Source of a Communication Channel | 45 | Enforces verification of the source of a communication channel by requiring identification and authentication of services first. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
CVE-2025-20358 | 1.9 | 9.4 | 0.0039 | good |
CVE-2026-34953 | 1.8 | 9.1 | 0.0001 | good |
CVE-2026-32173 | 1.7 | 8.6 | 0.0006 | good |
CVE-2025-27256 | 1.7 | 8.3 | 0.0001 | good |
CVE-2026-4984 | 1.6 | 8.2 | 0.0004 | good |
CVE-2024-11322 | 1.5 | 7.5 | 0.0075 | good |
CVE-2023-52955 | 1.3 | 6.5 | 0.0010 | good |
CVE-2026-35622 | 1.2 | 5.9 | 0.0006 | good |
CVE-2025-68926 | 2.6 | 9.8 | 0.1061 | good |
CVE-2026-2039 | 2.0 | 9.8 | 0.0036 | good |
CVE-2026-24124 | 2.0 | 9.8 | 0.0011 | good |
CVE-2025-63389 | 2.0 | 9.8 | 0.0019 | good |
CVE-2026-2577 | 2.0 | 10.0 | 0.0008 | good |
CVE-2025-27129 | 2.0 | 9.8 | 0.0019 | good |
CVE-2025-15573 | 1.9 | 9.4 | 0.0001 | good |
CVE-2024-23943 | 1.8 | 9.1 | 0.0043 | good |
CVE-2026-34952 | 1.8 | 9.1 | 0.0002 | good |
CVE-2024-41724 | 1.7 | 8.7 | 0.0008 | good |
CVE-2026-4436 | 1.7 | 8.6 | 0.0006 | good |
CVE-2025-27616 | 1.7 | 8.5 | 0.0008 | good |
CVE-2024-12757 | 1.7 | 8.6 | 0.0028 | good |
CVE-2026-26125 | 1.7 | 8.6 | 0.0009 | good |
CVE-2026-39429 | 1.6 | 8.2 | 0.0008 | good |
CVE-2025-41258 | 1.6 | 8.0 | 0.0009 | good |
CVE-2026-28458 | 1.6 | 8.1 | 0.0008 | good |