NIST 800-53 r5 · Controls catalogue · Family PM
PM-3Information Security and Privacy Resources
Include the resources needed to implement the information security and privacy programs in capital planning and investment requests and document all exceptions to this requirement; Prepare documentation required for addressing information security and privacy programs in capital planning and investment requests in accordance with applicable laws, executive orders, directives, policies, regulations, standards; and Make available for expenditure, the planned information security and privacy resources.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Resources allocated to security programs enable proper design, implementation, and maintenance of access control mechanisms. |
CWE-798 | Use of Hard-coded Credentials | 1,955 | Planned investment enables secure credential storage and management systems instead of hard-coded credentials. |
CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | 736 | Capital planning and funding allow selection and ongoing support of strong cryptographic algorithms rather than weak or broken ones. |
CWE-693 | Protection Mechanism Failure | 476 | Explicit funding and documentation requirements reduce failures of protection mechanisms caused by under-resourcing. |
CWE-521 | Weak Password Requirements | 303 | Dedicated security resources support deployment of strong authentication systems and enforcement of robust password policies. |
CWE-1104 | Use of Unmaintained Third Party Components | 19 | Resource allocation in investment requests funds regular maintenance, patching, and updates of third-party components. |
CWE-657 | Violation of Secure Design Principles | 19 | Requiring security resources in capital planning supports adherence to secure design principles throughout the system lifecycle. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||