NIST 800-53 r5 · Controls catalogue · Family PS
PS-1Policy and Procedures
Develop, document, and disseminate to {{ insert: param, ps-1_prm_1 }}: {{ insert: param, ps-01_odp.03 }} personnel security policy that: Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and Procedures to facilitate the implementation of the personnel security policy and the associated personnel security controls; Designate an {{ insert: param, ps-01_odp.04 }} to manage the development, documentation, and dissemination of the personnel security policy and procedures; and Review and update the current personnel security: Policy {{ insert: param, ps-01_odp.05 }} and following {{ insert: param, ps-01_odp.06 }} ; and Procedures {{ insert: param, ps-01_odp.07 }} and following {{ insert: param, ps-01_odp.08 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (8)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | The required procedures explicitly address authorization checks for personnel actions, lowering the incidence of missing authorization. |
CWE-284 | Improper Access Control | 4,832 | The policy establishes consistent rules for granting, reviewing, and revoking access based on personnel status, tangibly limiting improper access control. |
CWE-287 | Improper Authentication | 4,730 | Personnel screening, identity verification, and access-agreement requirements support reliable authentication and reduce authentication bypass opportunities. |
CWE-863 | Incorrect Authorization | 3,234 | Policy-driven user provisioning and review processes reduce incorrect authorization assignments arising from ad-hoc personnel decisions. |
CWE-269 | Improper Privilege Management | 2,907 | Documented procedures for role definition, privilege assignment, and removal provide the management framework that prevents improper privilege management. |
CWE-306 | Missing Authentication for Critical Function | 2,567 | Policy mandates authentication and authorization for critical functions, ensuring these controls are not omitted for personnel-managed resources. |
CWE-285 | Improper Authorization | 1,230 | Procedures define authorization decisions tied to hiring, transfer, and termination, reducing the likelihood of improper authorization decisions. |
CWE-250 | Execution with Unnecessary Privileges | 305 | Personnel security policy and procedures enforce least-privilege assignment, periodic review, and revocation on termination or role change, directly reducing unnecessary privileges. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||