NIST 800-53 r5 · Controls catalogue · Family PS
PS-2Position Risk Designation
Assign a risk designation to all organizational positions; Establish screening criteria for individuals filling those positions; and Review and update position risk designations {{ insert: param, ps-02_odp }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Screening criteria tied to position sensitivity limit the set of individuals who can be granted access, shrinking the attack surface for improper access control weaknesses. |
CWE-269 | Improper Privilege Management | 2,907 | Periodic review of position risk levels forces re-evaluation of privilege assignments and prevents drift toward excessive rights for individuals. |
CWE-798 | Use of Hard-coded Credentials | 1,955 | Vetting individuals before they occupy roles that touch credentials or secrets reduces the likelihood of hard-coded credentials being introduced or abused. |
CWE-250 | Execution with Unnecessary Privileges | 305 | Risk designation and screening for elevated positions directly reduces the chance that unvetted personnel receive or retain unnecessary privileges. |
CWE-506 | Embedded Malicious Code | 80 | Background screening for development or deployment roles makes intentional insertion of malicious code by insiders materially harder to accomplish. |
CWE-912 | Hidden Functionality | 79 | Screening high-risk technical positions lowers the probability that hidden functionality or backdoors will be added by authorized personnel. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||