NIST 800-53 r5 · Controls catalogue · Family PM
PM-32Purposing
Analyze {{ insert: param, pm-32_odp }} supporting mission essential services or functions to ensure that the information resources are being used consistent with their intended purpose.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Periodic purpose analysis directly detects and corrects access control decisions that permit use outside the defined mission function. |
CWE-269 | Improper Privilege Management | 2,907 | Drives ongoing review and correction of privilege assignments that have drifted from intended operational need. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Triggers re-evaluation of permission assignments on critical resources when usage deviates from declared purpose. |
CWE-285 | Improper Authorization | 1,230 | Enforces that authorization rules remain consistent with the documented intended purpose of each resource. |
CWE-250 | Execution with Unnecessary Privileges | 305 | Identifies privileges or capabilities that exceed what is required for the stated mission purpose, enabling removal. |
CWE-653 | Improper Isolation or Compartmentalization | 52 | Verifies that mission-essential functions remain isolated and not repurposed across compartment boundaries. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||