NIST 800-53 r5 · Controls catalogue · Family PS
PS-7External Personnel Security
Establish personnel security requirements, including security roles and responsibilities for external providers; Require external providers to comply with personnel security policies and procedures established by the organization; Document personnel security requirements; Require external providers to notify {{ insert: param, ps-07_odp.01 }} of any personnel transfers or terminations of external personnel who possess organizational credentials and/or badges, or who have system privileges within {{ insert: param, ps-07_odp.02 }} ; and Monitor provider compliance with personnel security requirements.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-862 | Missing Authorization | 8,680 | Requires explicit authorization rules and termination notifications for external personnel, preventing missing authorization checks on retained credentials. |
CWE-284 | Improper Access Control | 4,832 | Establishes and monitors access-control requirements specifically for external personnel holding organizational credentials or privileges. |
CWE-269 | Improper Privilege Management | 2,907 | Mandates documented personnel security requirements and compliance monitoring for external providers' system privileges and credentials. |
CWE-285 | Improper Authorization | 1,230 | Defines authorization boundaries and revocation procedures for external providers, limiting improper or lingering authorization decisions. |
CWE-250 | Execution with Unnecessary Privileges | 305 | Requires notification of external personnel terminations and monitors revocation of credentials/privileges, directly reducing retained unnecessary access. |
CWE-272 | Least Privilege Violation | 25 | Enforces least-privilege principles for externals via role/responsibility definitions, transfer/termination notifications, and ongoing compliance checks. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||