NIST 800-53 r5 · Controls catalogue · Family PL
PL-9Central Management
Centrally manage {{ insert: param, pl-09_odp }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (9)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Central management enforces consistent access-control policies across systems, reducing the likelihood of missing or inconsistent enforcement. |
CWE-287 | Improper Authentication | 4,730 | Centralized authentication mechanisms and policy enforcement reduce the chance of missing or weak authentication on individual components. |
CWE-269 | Improper Privilege Management | 2,907 | Centralized privilege assignment and oversight prevent ad-hoc or excessive privilege grants that occur when each system is configured independently. |
CWE-798 | Use of Hard-coded Credentials | 1,955 | Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Central management of critical-resource permissions ensures uniform, least-privilege assignments rather than per-system manual settings that frequently drift. |
CWE-276 | Incorrect Default Permissions | 1,757 | A central authority can define and push correct default permissions, eliminating the common practice of leaving insecure defaults on individual hosts. |
CWE-693 | Protection Mechanism Failure | 476 | Central management verifies that required protection mechanisms remain enabled and correctly configured, reducing protection-mechanism failures due to local drift. |
CWE-521 | Weak Password Requirements | 303 | Organization-wide password and authentication policies are applied uniformly, preventing weak local password requirements. |
CWE-1188 | Initialization of a Resource with an Insecure Default | 300 | Central configuration overrides or replaces insecure default initializations that would otherwise be left unchanged on each system. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||