NIST 800-53 r5 · Controls catalogue · Family PM
PM-10Authorization Process
Manage the security and privacy state of organizational systems and the environments in which those systems operate through authorization processes; Designate individuals to fulfill specific roles and responsibilities within the organizational risk management process; and Integrate the authorization processes into an organization-wide risk management program.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Requiring documented authorization for system operation and critical functions ensures missing authorization controls are identified and corrected during the approval process. |
CWE-284 | Improper Access Control | 4,832 | Formal authorization processes require review and approval of access control mechanisms before systems are permitted to operate, directly reducing the likelihood of improper access control weaknesses reaching production. |
CWE-863 | Incorrect Authorization | 3,234 | Authorization reviews within the risk management program detect and prevent incorrect authorization logic or policy enforcement before systems receive approval to operate. |
CWE-269 | Improper Privilege Management | 2,907 | Designating specific roles and responsibilities for authorization and risk management directly mitigates improper privilege management across the organization. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Security authorization processes review and approve permission assignments for critical resources, reducing the chance that incorrect permission assignments remain unaddressed. |
CWE-285 | Improper Authorization | 1,230 | The control explicitly manages authorization decisions and integrates them into risk management, making incorrect or incomplete authorization decisions less likely to persist. |
CWE-250 | Execution with Unnecessary Privileges | 305 | Integration of authorization into organization-wide risk management includes evaluation of privileges, making execution with unnecessary privileges less likely to be approved. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||