NIST 800-53 r5 · Controls catalogue · Family PS
PS-5Personnel Transfer
Review and confirm ongoing operational need for current logical and physical access authorizations to systems and facilities when individuals are reassigned or transferred to other positions within the organization; Initiate {{ insert: param, ps-05_odp.01 }} within {{ insert: param, ps-05_odp.02 }}; Modify access authorization as needed to correspond with any changes in operational need due to reassignment or transfer; and Notify {{ insert: param, ps-05_odp.03 }} within {{ insert: param, ps-05_odp.04 }}.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (7)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Ensures access authorizations are updated on transfer so that access control remains aligned with current need rather than retained inappropriately. |
CWE-269 | Improper Privilege Management | 2,907 | Requires explicit review and modification of privileges when personnel change roles, directly preventing improper ongoing privilege management. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Drives correction of permission assignments on critical resources when individuals move to new positions with different needs. |
CWE-285 | Improper Authorization | 1,230 | Triggers modification of authorizations to reflect changed operational need, directly addressing improper authorization after role changes. |
CWE-281 | Improper Preservation of Permissions | 386 | Forces removal or modification of permissions no longer required after reassignment, preventing improper preservation of old access rights. |
CWE-286 | Incorrect User Management | 30 | Requires confirmation and adjustment of user access rights during personnel transfers, mitigating incorrect user management. |
CWE-271 | Privilege Dropping / Lowering Errors | 11 | Mandates lowering or adjusting privileges to match new operational needs, reducing errors in privilege dropping during transfers. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||