NIST 800-53 r5 · Controls catalogue · Family PM
PM-17Protecting Controlled Unclassified Information on External Systems
Establish policy and procedures to ensure that requirements for the protection of controlled unclassified information that is processed, stored or transmitted on external systems, are implemented in accordance with applicable laws, executive orders, directives, policies, regulations, and standards; and Review and update the policy and procedures {{ insert: param, pm-17_prm_1 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Policies mandate protection of CUI on external systems, directly reducing unauthorized exposure of sensitive information. |
CWE-319 | Cleartext Transmission of Sensitive Information | 1,042 | Enforces safeguards against cleartext transmission of CUI when data leaves organizational boundaries to external systems. |
CWE-668 | Exposure of Resource to Wrong Sphere | 779 | Drives controls that keep sensitive CUI from being exposed to external systems as an unintended sphere. |
CWE-311 | Missing Encryption of Sensitive Data | 552 | Requires encryption and similar controls for CUI processed or stored externally, preventing missing encryption of sensitive data. |
CWE-552 | Files or Directories Accessible to External Parties | 540 | Procedures ensure CUI files and resources are not made accessible to external parties without required protections. |
CWE-922 | Insecure Storage of Sensitive Information | 421 | Policy explicitly addresses insecure storage of CUI on external systems, requiring compliant handling and protections. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||