NIST 800-53 r5 · Controls catalogue · Family PL
PL-4Rules of Behavior
Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy; Receive a documented acknowledgment from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the system; Review and update the rules of behavior {{ insert: param, pl-04_odp.01 }} ; and Require individuals who have acknowledged a previous version of the rules of behavior to read and re-acknowledge {{ insert: param, pl-04_odp.02 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Users must acknowledge that access is granted only through proper authorization, directly addressing missing authorization. |
CWE-284 | Improper Access Control | 4,832 | Documented and acknowledged rules define permitted access, reducing improper access control by establishing clear behavioral boundaries and accountability. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | Rules require authentication prior to system or function access, making missing authentication for critical functions harder to ignore or bypass. |
CWE-522 | Insufficiently Protected Credentials | 1,518 | Rules of behavior include credential protection and non-sharing requirements, reducing exposure of insufficiently protected credentials. |
CWE-250 | Execution with Unnecessary Privileges | 305 | Rules of behavior explicitly require users to operate with only the privileges needed for their role, directly reducing execution with unnecessary privileges. |
CWE-272 | Least Privilege Violation | 25 | The control mandates acknowledgment of least-privilege expectations, making violations by authorized users less likely. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||