NIST 800-53 r5 · Controls catalogue · Family PM
PM-29Risk Management Program Leadership Roles
Appoint a Senior Accountable Official for Risk Management to align organizational information security and privacy management processes with strategic, operational, and budgetary planning processes; and Establish a Risk Executive (function) to view and analyze risk from an organization-wide perspective and ensure management of risk is consistent across the organization.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Leadership accountability for risk management makes missing authorization controls visible at the enterprise level and subject to remediation. |
CWE-284 | Improper Access Control | 4,832 | Appointed accountable official aligns access control decisions with strategic risk processes, reducing systemic improper access control. |
CWE-863 | Incorrect Authorization | 3,234 | Org-wide risk perspective ensures authorization logic is reviewed and corrected rather than implemented inconsistently per system. |
CWE-269 | Improper Privilege Management | 2,907 | Senior risk management leadership and cross-org risk view enforce proper privilege management and prevent ad-hoc or inconsistent assignments. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Risk Executive function drives correct permission assignment for critical resources by requiring risk analysis before granting broad access. |
CWE-285 | Improper Authorization | 1,230 | Organization-level risk governance improves authorization consistency and prevents authorization decisions made without enterprise risk context. |
CWE-250 | Execution with Unnecessary Privileges | 305 | Org-wide risk executive function provides accountability and oversight that directly reduces execution with unnecessary privileges through consistent identification and mitigation. |
CWE-272 | Least Privilege Violation | 25 | Risk Executive role ensures least privilege is applied uniformly rather than left to individual system owners or projects. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||