NIST 800-53 r5 · Controls catalogue · Family PM
PM-24Data Integrity Board
Establish a Data Integrity Board to: Review proposals to conduct or participate in a matching program; and Conduct an annual review of all matching programs in which the agency has participated.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Annual reviews and proposal scrutiny detect and block matching programs that would expose sensitive data to unauthorized recipients or systems. |
CWE-862 | Missing Authorization | 8,680 | Proposal review forces explicit authorization checks for each matching program, preventing execution of matching without required approvals. |
CWE-284 | Improper Access Control | 4,832 | Board oversight enforces proper access-control decisions before cross-agency data matching occurs, reducing improper access to protected records. |
CWE-863 | Incorrect Authorization | 3,234 | Annual re-evaluation of active programs detects and corrects cases where authorization rules have become incorrect or overly broad. |
CWE-285 | Improper Authorization | 1,230 | Mandatory review of matching proposals catches and prevents authorization decisions that would allow data use beyond permitted purposes. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | The board evaluates privacy implications of proposed matching, directly mitigating exposure of private personal information through uncontrolled data sharing. |
CWE-653 | Improper Isolation or Compartmentalization | 52 | Oversight ensures data-matching activities maintain required isolation between distinct data sets and authorized user communities. |
CWE-501 | Trust Boundary Violation | 24 | Review of inter-system matching programs identifies and corrects trust-boundary violations before data crosses organizational or policy domains. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||