NIST 800-53 r5 · Controls catalogue · Family PM
PM-8Critical Infrastructure Plan
Address information security and privacy issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (5)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 10,204 | Privacy provisions in the plan reduce the chance that sensitive data held by critical infrastructure is left exposed to unauthorized actors. |
CWE-284 | Improper Access Control | 4,832 | A CIKR protection plan that explicitly addresses information security requires defining and enforcing access control policies on critical systems and resources. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | Protection planning for critical infrastructure directly calls for authentication of access to essential functions before any operation is permitted. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | The control requires correct permission assignments on critical resources as part of the documented CIKR security and privacy protections. |
CWE-285 | Improper Authorization | 1,230 | The plan mandates documented authorization rules and checks to govern who can perform actions on key infrastructure components. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||