NIST 800-53 r5 · Controls catalogue · Family PM
PM-14Testing, Training, and Monitoring
Implement a process for ensuring that organizational plans for conducting security and privacy testing, training, and monitoring activities associated with organizational systems: Are developed and maintained; and Continue to be executed; and Review testing, training, and monitoring plans for consistency with the organizational risk management strategy and organization-wide priorities for risk response actions.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-20 | Improper Input Validation | 13,143 | Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses. |
CWE-352 | Cross-Site Request Forgery (CSRF) | 10,337 | Security testing regimens explicitly include checks for missing or ineffective anti-CSRF protections in web applications. |
CWE-284 | Improper Access Control | 4,832 | Ongoing testing, training, and monitoring plans verify that access-control enforcement remains effective and aligned with risk priorities. |
CWE-287 | Improper Authentication | 4,730 | Authentication testing and monitoring activities ensure mechanisms are implemented, maintained, and resistant to bypass. |
CWE-693 | Protection Mechanism Failure | 476 | The control requires systematic testing and monitoring of protection mechanisms to confirm they function as intended against organizational risks. |
CWE-778 | Insufficient Logging | 23 | Monitoring plans mandate sufficient logging and event collection to detect anomalous behavior and support incident response. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||