NIST 800-53 r5 · Controls catalogue · Family PM
PM-7Enterprise Architecture
Develop and maintain an enterprise architecture with consideration for information security, privacy, and the resulting risk to organizational operations and assets, individuals, other organizations, and the Nation.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Enterprise architecture defines overarching access control models, boundaries, and trust zones that directly prevent improper access control weaknesses. |
CWE-287 | Improper Authentication | 4,730 | Security-conscious enterprise architecture mandates authentication mechanisms and identity management at scale, mitigating improper authentication. |
CWE-269 | Improper Privilege Management | 2,907 | Enterprise architecture incorporates least-privilege principles and role definitions organization-wide, addressing improper privilege management. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Architecture standards define default and required permission models for critical resources, mitigating incorrect permission assignments. |
CWE-285 | Improper Authorization | 1,230 | Architecture planning establishes authorization policies and enforcement points across systems, reducing improper authorization flaws. |
CWE-693 | Protection Mechanism Failure | 476 | Enterprise architecture ensures protection mechanisms are selected, placed, and integrated consistently, reducing protection mechanism failures. |
CWE-653 | Improper Isolation or Compartmentalization | 52 | Architecture explicitly designs isolation, segmentation, and compartmentalization (e.g., networks, data flows), preventing improper isolation weaknesses. |
CWE-657 | Violation of Secure Design Principles | 19 | The control requires explicit consideration of secure design principles during architecture development, directly countering violation of those principles. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||