NIST 800-53 r5 · Controls catalogue · Family PM

PM-26Complaint Management

Implement a process for receiving and responding to complaints, concerns, or questions from individuals about the organizational security and privacy practices that includes: Mechanisms that are easy to use and readily accessible by the public; All information necessary for successfully filing complaints; Tracking mechanisms to ensure all complaints received are reviewed and addressed within {{ insert: param, pm-26_prm_1 }}; Acknowledgement of receipt of complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.03 }} ; and Response to complaints, concerns, or questions from individuals within {{ insert: param, pm-26_odp.04 }}.

Last updated: 09 May 2026 03:25 UTC

Implementations targeting this control (0)

No implementations targeting this control yet.

ATT&CK techniques this control mitigates (0)

No ATT&CK techniques mapped to this control yet.

Weaknesses this control addresses (5)AI

CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.

CWE	Name	CVEs	Why this control addresses it
`CWE-200`	Exposure of Sensitive Information to an Unauthorized Actor	10,204	Provides individuals an accessible, tracked channel to report exposures of sensitive information, prompting timely organizational review and remediation that shortens the window for exploitation.
`CWE-284`	Improper Access Control	4,832	Enables users to surface and force remediation of improper access-control decisions in security practices, directly reducing the persistence of exploitable authorization gaps.
`CWE-285`	Improper Authorization	1,230	Complaints about authorization failures are logged, acknowledged, and resolved within defined time bounds, making it harder for attackers to rely on long-lived authorization weaknesses.
`CWE-693`	Protection Mechanism Failure	476	A formal redress process detects when protection mechanisms fail in practice and compels their repair, lowering the likelihood that known protection failures remain exploitable.
`CWE-359`	Exposure of Private Personal Information to an Unauthorized Actor	174	Gives data subjects a reliable mechanism to report exposure of private personal information, driving corrective action that mitigates privacy-related information-leakage weaknesses.

Top CVEs where this control is the strongest mitigation

CVE	Risk	CVSS	EPSS	Match
No CVEs annotated to this control yet — the per-CVE backfill is in progress.

Other controls in family PM

PM-1 PM-10 PM-11 PM-12 PM-13 PM-14 PM-15 PM-16 PM-17 PM-18 PM-19 PM-2 PM-20 PM-21 PM-22 PM-23 PM-24 PM-25 PM-27 PM-28 PM-29 PM-3 PM-30 PM-31 PM-32 PM-4 PM-5 PM-6 PM-7 PM-8 PM-9