NIST 800-53 r5 · Controls catalogue · Family PL
PL-7Concept of Operations
Develop a Concept of Operations (CONOPS) for the system describing how the organization intends to operate the system from the perspective of information security and privacy; and Review and update the CONOPS {{ insert: param, pl-07_odp }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | CONOPS describes the organization's intended security and privacy operating model, including access-control concepts, making systemic improper access control less likely to persist undetected. |
CWE-269 | Improper Privilege Management | 2,907 | The documented concept of operations forces organizations to specify how privileges will be assigned, used, and reviewed, directly limiting improper privilege management in day-to-day operations. |
CWE-285 | Improper Authorization | 1,230 | By requiring a clear statement of how authorization decisions are made and enforced during operations, the control reduces gaps that allow improper authorization to be exploited. |
CWE-693 | Protection Mechanism Failure | 476 | The control requires organizations to describe how protection mechanisms will function in operation, thereby reducing the chance that those mechanisms fail due to undefined or inconsistent operational assumptions. |
CWE-250 | Execution with Unnecessary Privileges | 305 | CONOPS explicitly defines intended operational roles, procedures, and privilege usage, reducing the likelihood of unnecessary privileges being assigned or retained during system operation. |
CWE-653 | Improper Isolation or Compartmentalization | 52 | The CONOPS must articulate isolation and compartmentalization expectations for security and privacy, making architectural failures in separation of duties or domains harder to overlook. |
CWE-657 | Violation of Secure Design Principles | 19 | Developing and maintaining a security-focused CONOPS constitutes explicit adherence to secure design and operational principles, directly countering violations of those principles. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||