NIST 800-53 r5 · Controls catalogue · Family PM
PM-27Privacy Reporting
Develop {{ insert: param, pm-27_odp.01 }} and disseminate to: {{ insert: param, pm-27_odp.02 }} to demonstrate accountability with statutory, regulatory, and policy privacy mandates; and {{ insert: param, pm-27_odp.03 }} and other personnel with responsibility for monitoring privacy program compliance; and Review and update privacy reports {{ insert: param, pm-27_odp.04 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Privacy reports require tracking and disclosing unauthorized exposures of sensitive information, increasing detection risk for such weaknesses. |
CWE-862 | Missing Authorization | 8,680 | Monitoring privacy program compliance forces identification of missing authorization checks on personal data resources. |
CWE-284 | Improper Access Control | 4,832 | Accountability reporting on privacy mandates surfaces improper access control violations over personal data during compliance reviews. |
CWE-285 | Improper Authorization | 1,230 | Regular privacy compliance dissemination and review detect authorization failures that allow unauthorized access to protected information. |
CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | 174 | Directly monitors compliance with mandates protecting personal information, making undetected exposure to unauthorized actors harder to sustain. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||