NIST 800-53 r5 · Controls catalogue · Family PS
PS-9Position Descriptions
Incorporate security and privacy roles and responsibilities into organizational position descriptions.
Last updated: 09 May 2026 03:25 UTC
Implementations targeting this control (0)
- No implementations targeting this control yet.
ATT&CK techniques this control mitigates (0)
- No ATT&CK techniques mapped to this control yet.
Weaknesses this control addresses (6)AI
CWEs ranked by how often they appear in real CVEs. The rationale describes how this control reduces exploitability of each weakness class.
| CWE | Name | CVEs | Why this control addresses it |
|---|---|---|---|
CWE-284 | Improper Access Control | 4,832 | Clear role definitions in position descriptions are a prerequisite for implementing and enforcing proper access control decisions. |
CWE-269 | Improper Privilege Management | 2,907 | Documenting security and privacy duties per position provides the foundation for consistent and correct privilege management across the organization. |
CWE-732 | Incorrect Permission Assignment for Critical Resource | 1,824 | Security responsibilities documented in job descriptions guide correct initial and ongoing permission assignments for critical resources. |
CWE-285 | Improper Authorization | 1,230 | Explicitly stated responsibilities per position improve the accuracy and consistency of authorization decisions tied to those roles. |
CWE-250 | Execution with Unnecessary Privileges | 305 | Position descriptions that explicitly define security responsibilities directly support assignment of only the privileges needed for a role, reducing execution with unnecessary privileges. |
CWE-272 | Least Privilege Violation | 25 | Incorporating least-privilege expectations into every position description makes violations of the principle harder to occur by default. |
Top CVEs where this control is the strongest mitigation
| CVE | Risk | CVSS | EPSS | Match |
|---|---|---|---|---|
| No CVEs annotated to this control yet — the per-CVE backfill is in progress. | ||||