NIST 800-53 r5 · Controls catalogue · Family PL
PL-8Security and Privacy Architectures
Develop security and privacy architectures for the system that: Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information; Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals; Describe how the architectures are integrated into and support the enterprise architecture; and Describe any assumptions about, and dependencies on, external systems and services; Review and update the architectures {{ insert: param, pl-08_odp }} to reflect changes in the enterprise architecture; and Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (10)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Privacy and security architectures require controls to protect sensitive information from unauthorized exposure across the system lifecycle. |
CWE-284 | Improper Access Control | 4,832 | Architectures explicitly define requirements and mechanisms for access control to protect confidentiality, integrity, and availability. |
CWE-287 | Improper Authentication | 4,730 | Security architectures must specify authentication requirements and approaches, making systemic authentication weaknesses harder to introduce. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | The control requires architectures to identify and protect critical functions, including mandatory authentication for those functions. |
CWE-285 | Improper Authorization | 1,230 | The control mandates describing authorization approaches integrated into the enterprise architecture, directly reducing improper authorization risks. |
CWE-311 | Missing Encryption of Sensitive Data | 552 | Architectures must describe confidentiality protections, which includes mandating encryption for sensitive data in transit and at rest. |
CWE-693 | Protection Mechanism Failure | 476 | By requiring integrated, updated architectures and CONOPS, the control reduces the likelihood that protection mechanisms are missing or inconsistently applied. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | The control specifically requires architectures that minimize privacy risk when processing PII, directly addressing exposure of personal information. |
CWE-653 | Improper Isolation or Compartmentalization | 52 | Security architectures commonly incorporate isolation and compartmentalization strategies to limit the impact of compromises. |
CWE-657 | Violation of Secure Design Principles | 19 | Developing and maintaining documented security architectures enforces secure design principles and prevents violations at the system level. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||