NIST 800-53 r5 · Controls catalogue · Family PM

PM-11Mission and Business Process Definition

Define organizational mission and business processes with consideration for information security and privacy and the resulting risk to organizational operations, organizational assets, individuals, other organizations, and the Nation; and Determine information protection and personally identifiable information processing needs arising from the defined mission and business processes; and Review and revise the mission and business processes {{ insert: param, pm-11_odp }}.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

No implementations targeting this control yet.

ATT&CK techniques this control mitigates (0)

No ATT&CK techniques mapped to this control yet.

Weaknesses this control addresses (5)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-200`	Exposure of Sensitive Information to an Unauthorized Actor	10,204	Explicitly requires identifying protection needs for sensitive information during process definition, making exposure to unauthorized actors less likely through better process design.
`CWE-284`	Improper Access Control	4,832	Requires explicit consideration of information security risks when defining processes, which tangibly drives proper access control requirements into those processes.
`CWE-285`	Improper Authorization	1,230	By determining authorization and protection needs arising from business processes, the control reduces improper authorization weaknesses in how operations are structured.
`CWE-693`	Protection Mechanism Failure	476	Mandates determining protection needs from defined processes, reducing the likelihood that protection mechanisms are omitted or ineffective by design.
`CWE-657`	Violation of Secure Design Principles	19	Directly requires incorporating security and privacy considerations into the definition of mission/business processes, preventing violations of secure design principles at the organizational level.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family PM

PM-1 PM-10 PM-12 PM-13 PM-14 PM-15 PM-16 PM-17 PM-18 PM-19 PM-2 PM-20 PM-21 PM-22 PM-23 PM-24 PM-25 PM-26 PM-27 PM-28 PM-29 PM-3 PM-30 PM-31 PM-32 PM-4 PM-5 PM-6 PM-7 PM-8 PM-9